Micro$oft urges upgrade to IE6-SP-1

[MikeHunt]

Microsoft Urges Move To IE 6 Service Pack 1 Following Code Leak

(URL: http://www.crn.com/sections/BreakingNews/d...rticleID=48010)

By Paula Rooney

CRN

1:32 PM EST Tues., Feb. 17, 2004

Microsoft is advising customers to move to Internet Explorer 6 Service Pack 1 and more recent patches following the leak of Windows NT and Windows 2000 source code to the Internet last week.

While downplaying the potential for hackers to uncover new vulnerabilities in Windows by having access to the source code, one top Microsoft Windows executive said during a monthly security briefing on Tuesday that customers using IE 5.x or IE 4.X versions should quickly download the latest IE code to protect their networks.

"Most of IE code is what was leaked," said Chris Jones, corporate vice president in the Windows Core Operating System Division, about the NT 4.0 and Windows 2000 code that leaked. "We don't believe [customers will be affected] so as long as they're current on the latest versions of IE. They need to move to IE 6 and security patches and service packs."

IE 6.0 Service Pack 1 was released during the fourth quarter of 2002 and is currently integrated into Windows XP Service Pack 1 and Windows Server 2003, Microsoft executives said. Jones also advised customers to access the latest security fixes and patches to address critical and important Windows and IE vulnerabilities, including a significant release earlier this month.

During the monthly security Webcast on Tuesday, Jones and Mike Nash, Microsoft's corporate vice president of the Security Business and Technology Unit, acknowledged Microsoft is actively investigating reports published over the weekend about a new IE vulnerability identified as a result of the leaked code.

Microsoft is confident that its own engineering staff has uncovered a good amount of the vulnerabilities, but the executives allowed for the possibility that there could be more IE 5.0 code that hackers could exploit. "We have done source code inspection, but we are doing due diligence," said Jones, noting that one of the IE vulnerabilities discussed over the weekend--in the Windows 2000 Service Pack 1--was already fixed by Microsoft in IE 6.0 Service Pack 1.

Microsoft's security executives also advised enterprise customers that are still running IE 5.5, IE 5.0 or IE 4 to disable code execution features if they don't move to IE 6.0 Service Pack 1and patches.

"We designed in security zones so [customers] can enable or disable browser features," Jones said during the one-hour Webcast. "I can set up Internet Explorer 4 and higher to not allow scripting or controls or other advanced technologies [to execute on IE]."

While several observers in the open-source and Windows communities dismissed the possibility of a large-scale attack based on the code leak late last week, one analyst acknowledged that it will be a test of Microsoft's own bug-finding capabilities. "Since Microsoft started going through its code as part of the Trustworthy Computing Initiative, it has had difficulty finding all the vulnerabilities," said Michael Cherry, an analyst with Directions on Microsoft, a newsletter in Kirkland, Wash. "I think that the latest Windows vulnerability, ASN.1, was found by [security vendor] eEye, not Microsoft. Maybe many eyes would improve this, but it still requires substantial programming knowledge to look at code like this."

Late last week, a published report in BetaNews traced the leak to Microsoft ISV partner Mainsoft, Redwood Shores, Calif. While Mainsoft declined to acknowledge accountability, executives said they are working with Microsoft on the issue.

While Microsoft executives refuse to discuss the cause, they reiterated that the leak did not arise from a breach of the Microsoft corporate network or from the company's shared source licensing program, which distributes source code to select government, academic, corporate and systems integration entities.

"We're still working on the details and can't comment on active investigation," said Jones, noting Microsoft is working with the FBI to identify who is responsible. "We know it wasn't a breach of our network [or shared source]. We believe it came from another channel."

[MikeHunt]

or just use Mozilla Firefox:

http://www.mozilla.org/products/firefox/

Better ...faster...safer ....and blocks ALL popups automatically.

...did I mention it's FREE!

[jipper]

free...pah, they should pay me for using it

use k-meleon

http://kmeleon.sourceforge.net/

[method77]

you both suck. Use Opera!

www.opera.com

[MikeHunt]

hahahaha ..poor billy gates....hahahaahahaha

*edit....never heard of K-Meleon.....hmmmm..I'll check it out

(is the guy who started K-Meleon named Leon?) jes askin'

[paladin]

*Supports Bill, Until now*

I'm moving on the mozilla...again

[MikeHunt]

this new FireFox is killin me....I'm converted.

[method77]

that firefox had some bug in the download client here so I dumped it. Opera is faster a I have made it just right for me so I'll stick to it

[DudeAsInCool]

Safari for me

[slum_goddess]

mozilla definitely. i'm on a windoze box and once i remembered not to click links in outlook express, haven't opened IE for some time now. i love the tabs.

[jipper]

firefox..its decent but not as decent as k-meleon, its just the brand name you peeps are going for..

[method77]

opera is the best browser by far :P

[Umma]

opera is the best browser by far :P

I've been using Opera for years.... but I went back to using IE last autumn because the sites I was using would only display in IE....

Been trying out Mozilla Firefox for a week or so now.... but there are a few annoyances like the download manager not having a resume option...and not being able to integrate a download accelerator because it already has it's own download manager.

Otherwise it's fine to use, but because of these little oversights, I think Opera wins hands down.