Microsoft Releases Critical IE Patch

Laura Brown writes "Microsoft has released its security software patches for April. The most anticipated is the MS06-013 patch, which fixes several IE bugs, including the "create TextRange ()" vulnerability. Hackers had been exploiting this problem by installing unauthorized software on PCs. "

The Exploit

[eldavojohn]

The Exploit If you want to know more about the exploit that this release is supposed to fix, here is a shellcoded from of it [milw0rm.com] (dated 03.22.2006).

And here's Microsoft's acknowledgement [microsoft.com] of the exploit (dated 03.23.2006).

And here's an "expert" saying that releasing the above exploit is irresponsible [sys-con.com] (dated 03.24.2006).

It is now 04.12.2006 and a patch is out to correct it.

*checks his watch*

Not bad, but your response time could use some imporvement.

ActiveX, Java and Flash controls may be impacted

[Dynamoo]

Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

This won't affect IE6 on Windows 2000, and it's worth noting that things like Flash will work just fine in Firefox, Mozilla or Opera on Windows too.

Re:The Exploit

[Ravatar]

It was released on the second Tuesday of the month (April 11). Microsoft has been releasing fixes on this schedule for several months now, maybe longer. They do this so that every patch on the release board gets the full testing cycle it deserves. Microsoft rarely releases patches off-schedule now.

Re:ActiveX, Java and Flash controls may be impacte

[Takeel]

Bundled in with this patch is a change to the behaviour of embedded controls in IE6 on Windows XP, due to the Eolas patent issue [slashdot.org]. This means that things like Flash navigation or Java widgets might not work without being clicked first to activate. TechWeb have a good article [techweb.com] with a summary of the changes, along with some links elswhere.

Amusingly, this behavior can be disabled with either a patch or a registry change. [microsoft.com]

Re:I DLed them this AM. A question...

[flight_master]

Don't forget all the proprietary apps out there that use the IE ActiveX plugin!

Re:Schedule Over Security?

[shawnce]

They haven't figured out how to do what? What does making it available ASAP instead of on a schedule that their major corporate customers have strongly requested have to do with "number and caliber of computer science researchers" at Microsoft.

Regardless they will and do relevant testing, takes days to weeks depending on scope of change its effects... sometimes the effects ripple out to third-parties which can further delay deployment.

I generally don't like Windows the product or many of MS current and prior practices but I do understand the issue they face when releasing a patch into such a large and diverse customer ecosystem.

The article's titles doesn't do it justice

[suv4x4]

The patch in question patches not less than 10 critical patches in IE and Windows that can be used to compromise your system.

Source

[Goodgerster]

Downloadable immediately from here [getfirefox.com].

Re:Schedule Over Security?

[rbochan]

...For the number and caliber of computer science researchers Microsoft has at its disposal, and the priority they've put on increased marketing bullshit, it's strange ...

There, fixed that for you.

Re:Why?

[J0nne]

The IETab extension [mozilla.org] can switch the rendering engine within Firefox. You can even add a list of websites that should always use IE's engine. This way your users won't have to start IE seperately (and probably won't even notice the switching of the engine).

I'm not sure if you can install it automatically (through sms or whatever it's called), so it might not be practical if you have to install it on a lot of computers.

Re:You mean, IE users point and laugh

[Anonymous Coward]

Flash ads will keep working. You need to click only if you want to start *interacting* with the object.

Also, this "click to enable" feature can be bypassed using JavaScript. That is not a bug, Microsoft allowed this as a workaround.