My friend got hit with a Trojan Monday and it had to be from this IE Hole. I blogged it at www.msmvps.com/shelluser. The machine is full patched and had NAV 2005 on it. I put Windows OneCare on it because NAV failed to catch the file the magically apeared on the desktop!

"The machine is full patched and had NAV 2005 on it"

Right, because nothing malicious can ever get past NAV 2005 :D

There's also an unofficial patch/feature-disabling-workaround available at:

http://www.determina.com...isory_march272006_1.asp

=/

Could that really be called a patch?

Sounds a heck of a lot like a feature-disabling workaround to me. And, it's only temporary. I'm not complaining or anything, but give credit where credit is due. And when it's not due... don't?

...or maybe I'm just nit-picking.

I have got the very best fix for the problem.Don't use it.

Or use an alternative browser. Done deal.

While I hate MS and the idea of having to wait for a known bug to be fixed as much as the next guy, most of you forget why MS created patch Tuesday.

Its so admins of large networks can expect patches on one day of the month, instead of scrambling to patch 500 machines every week or two whenever a new bug fix is out.

Problem is some of these nasty bugs are found within a week or so after patch Tuesday, so over the next 3+ weeks there is time for sites to abuse these security holes. It might only take MS a few days to make the patch, but they are going to wait a couple weeks until Patch Tuesday even if it is ready, which is why companies are starting to create their own like this.

"most of you forget why MS created patch Tuesday."

I thought it was because MS was sick of all the bad press every time a single patch became available (1 critical patch out of the blue = important breaking news report) and so made this a 'feature' (7 critical patches on a single day in a regular schedule = minor news report). Admittedly it was a pain for sysadmins to deal with a trickle of patches, but a regular weekly patch release would have been much better from a security POV. They even could have done it such that non-critical patches were only released once a month but had a separate weekly critical cycle. But they didn't.

It's so comforting to know that Microsoft cares so much about it's customers that they are willing to wait to see if a few of their lab rats get exploited before fixing a problem that was found beforehand.

oh yeah, and it's chaos in the world right now because of all the people and machines affected by this .... i might not even get paid on friday since everyone in the world is suffering by this flaw ..... oh the horror !!!!!!!!!!

*** cricket !! cricket !! ***

I don't know what anyone's talking about, I haven't seen this exploi@#$WERWF@#R@R@#R@CRWWR2


23r 23
4234
234

NO CARRIER

(heh)

It's sad to see that a 3rd party has to come up with a patch while the guys and gals at MS are still debating about it...

Not sure if SAD is the correct word. What will eEye Digital Security do when MS patches? Are they going to claim that they cannot use it because it is theirs? :)

read the article dips***:

The downloadable fix from eEye blocks access to the component within IE that is vulnerable, preventing malicious sites from exploiting the problem to install a backdoor or other malware.

"This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," eEye says in its advisory. "Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released."

Hey, atleast they provide a fix while MS is still at the debating stage!!!!

I guess you shouldn't be calling me names but MS.

This isn't the first time 3rd parties have released patches. How pathetic. I know MS has to test, but they really should only need a day to write the test, and a day to test the patch. They have billions in cash, surely they have billions of ways to test a patch quickly?

they have more to lose though if something goes wrong than random firm xyz. given the magnitude of windows and ie's deep integration with it, it's not in microsoft's best interest to rush out a patch given what could go wrong.

besides ... you also need to read the article:

The downloadable fix from eEye blocks access to the component within IE that is vulnerable, preventing malicious sites from exploiting the problem to install a backdoor or other malware.

"This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," eEye says in its advisory. "Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released."

I cannot believe that MS is so retarded and slow that a 3rd party has to release a patch for IE.

Hahahahha.

Yeah....I really want Vista.....yeah.........yeah that's it.

damn it ... don't any of you read the article???

"While Microsoft debates whether to release a critical update for Internet Explorer before the next Patch Tuesday on April 11..."

No offence Nate, but at this point I don't think Microsoft is "debating" releasing the security patch before patch Tuesday, as it is likely not finished yet anyway. Until they actually finish testing the patch they cannot debate it much.

I could be wrong. I think MS would release an official patch before patch tuesday if it were ready before then--if nothing else to prevent naysayers from overhyping the "problems" of having patch Tuesdays and such.

the 19 sites that have been identified as exploiting the flaw, should be public humiliated as well as any others that try.

MS has only so many fingers to plug holes with and much larger fish to fry at any given point.