+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
General Chat Thread, Internet Explorer security alert in General; BBC NEWS | Technology | Internet Explorer security alert...
  1. #1


    Join Date
    Sep 2008
    Posts
    1,748
    Thank Post
    320
    Thanked 258 Times in 211 Posts
    Rep Power
    119

    Internet Explorer security alert


  2. #2

    Join Date
    Oct 2005
    Location
    West London
    Posts
    55
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

  3. #3

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,915
    Thank Post
    129
    Thanked 283 Times in 207 Posts
    Rep Power
    192

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,228
    Thank Post
    239
    Thanked 1,562 Times in 1,246 Posts
    Rep Power
    339
    Well disabling Active Scripting is a pain. Chances are Microsoft will release a patch early anyway. In the meantime I would recommend you apply the latest IE patch, that also fixes something like 27 bugs (apparently).

  5. #5
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    We're looking at disabling oledb32 temporarily via group policy or maybe zapping the registry key they mention in the advisory (to clobber "XML Island functionality"). Not sure what the impact will be yet... virtual machines are go!

    Anyone tried SIMS/FMS/MSAccess after any of these workarounds?

  6. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593
    I have asked to see if the infected code is being caught by our local RBC filters as this could help mitigate things.

    @Tom will this be caught in the next smoothwall update?

  7. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,458
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Tony: things should be being caught as of last week.
    Not sure (as we only have PoC) how many "wild" exploits it will catch, but I would be happier with the rule than without.

    Those of you with "recommended security" rules on will be running it already.

  8. 4 Thanks to tom_newton:

    GrumbleDook (16th December 2008), ICT_GUY (17th December 2008), john (17th December 2008), kmount (16th December 2008)

  9. #8


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,678
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    And that would be how a good company manages issues.

  10. #9
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    Well they aren't making a fix, they're doing a day-to-day update to their product's most fundamental function. By their own admission the fix is far from watertight so I'd be very wary of relying on it. I would be much happier with a client-side fix for this than hoping the smoothwall rules are accurate enough and stay accurate as variants emerge. (This is not a dig at smoothwall who are obviously doing what they can)

    From some experimentation with this demo of "XML island" functionality (which has nothing to do with the exploit code) it seems that putting a deny entry on the following registry key breaks the link between IE6 and MSXML3.dll:

    HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}

    I can't see why the Microsoft Advisory is suggesting people empty the contents of that key and subkeys instead of just setting an ACL entry. I suspect it's going to be a fair bit easier to remove that deny entry via GPO than to reconstruct a bunch of registry keys reliably.

    @Tom: There are some screenshots of a malicious version on the websense blog which it would be interesting to compare with your filter to see if it would pick it up:

    http://securitylabs.websense.com/con...logs/3263.aspx
    Last edited by sahmeepee; 16th December 2008 at 08:15 PM. Reason: stupid timeouts

  11. Thanks to sahmeepee from:

    tom_newton (17th December 2008)

  12. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,228
    Thank Post
    239
    Thanked 1,562 Times in 1,246 Posts
    Rep Power
    339
    I've had a good look at the Advisory and I think unregistering and then registering OLEDB32.DLL (when Microsoft release a patch), is the easiest option.

    Unregister:
    Code:
    Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
    Register:
    Code:
    Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
    I'm not going to implement the fix on admin workstations or servers, as I am pretty positive this will stop SQL related services such as SIMS, CMIS or of course WSUS from running (not good).

    If only the end of term was tomorrow then I could forget about it and just turn all machines off over the Christmas period!

  13. #11
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    Well we tried disabling that on a virtual PC, but unfortunately it reliably kills mail merges (between word and excel) and probably anything else of that nature. SIMS itself ran fine although we didn't test any report generation etc.

    The XML data island fix is much less likely to break stuff so I'm going with that on our admin and classroom PCs until this out-of-band patch comes out tomorrow and we get it deployed everywhere:

    Microsoft Security Bulletin Advance Notification for December 2008

    Using web browsers on servers is even more wrong than normal at the moment!

  14. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,228
    Thank Post
    239
    Thanked 1,562 Times in 1,246 Posts
    Rep Power
    339
    I just conducted a quick experiment on one of my SQL Servers. Using the above method of unregistering OLEDB32.DLL, I then attempted to run Sims.NET and FMS in turn and both work fine I could logon, which would indicate database functionality is normal.

    And speaking of databases, SQL 2005 SP3 has been released. Something for the new year I think!

  15. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,228
    Thank Post
    239
    Thanked 1,562 Times in 1,246 Posts
    Rep Power
    339
    but unfortunately it reliably kills mail merges (between word and excel)
    You're right; I can re-create this using Office 2003 SP3.

  16. #14
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    As a quick update, I disabled the XML island stuff overnight and now Outlook Web Access is pretty much borked! It seems it's needed for replies and setting high importance and possibly for sending mails at all. Not good. Luckily reverting the setting is quite easy.

    So thus far I've not found a suitable fix. Let's hope the patch comes quickly!

  17. #15

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,210 Times in 761 Posts
    Rep Power
    394
    Just to echo what sahmeepee. Outlook Web Access is almost unusable after disabling the XML Data Island CLSID. The TechNet blog article on this recommends this method as "our least intrusive workaround". Clearly Microsoft don't use their own webmail product very much!
    Last edited by AngryTechnician; 17th December 2008 at 09:11 AM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 13
    Last Post: 26th January 2009, 10:22 AM
  2. Ranger - Internet Explorer Security Settings
    By ahuxham in forum Windows
    Replies: 2
    Last Post: 9th June 2008, 04:33 PM
  3. Internet Explorer
    By JonR in forum Windows
    Replies: 2
    Last Post: 25th February 2008, 09:14 AM
  4. Can you update Internet mobile to Internet Explorer?
    By thegrassisgreener in forum Windows
    Replies: 1
    Last Post: 16th July 2007, 01:48 PM
  5. UKERNA Issues RealVNC Security Alert
    By Dos_Box in forum IT News
    Replies: 0
    Last Post: 18th May 2006, 10:31 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •