Random Acts of IT Project Management

Project Management for Information Technology

Internet Explorer Back in the News

Posted by iammarchhare on 7 July 2009

Microsoft has taken the unusual step in posting a security advisory about a vulnerability in XP and 2003 Server machines running Internet Explorer.  It is being called the “zero day” vulnerability.  Microsoft issues security advisories (Yahoo! calls them “updates”, which is confusing) around the second Tuesday of the month, but it broke the pattern because of the seriousness of the vulnerability.  It did this before with the Conficker worm earlier this year.

It is an unusual vulnerability because all that has to occur is for a user using IE on the XP and 2003 Server platforms navigates to a website that has been hacked.  The user does not consciously download anything, but the trojan is downloaded onto the users machine, escaping detection.  The propensity for users to click on links in emails from associates means that it is fairly easy to get people to visit the hacked web sites.  And, just in case you are ready to jump on the “I would never do that!” bandwagon, there was also a story about the Bermuda weather website getting hacked yesterday.  While it doesn’t sound like the same virus, it goes to show the vulnerability of surfing the web.

There is a workaround available.  Of course, you could just switch to Firefox, a much better browser, IMO.

In the end, MS is recommending that all users implement the workaround, even for Vista, because “there are no by-design uses for this ActiveX Control within Internet Explorer.”

That’s sort of a scary statement, when you think about it.  When you read the description, it is even more problematic.  You end up disabling either QuickTime or limiting Microsoft Media Player’s ability to play AVI and WAV files.  Whatever happened to the good old days when multimedia couldn’t harm your computer other than running out of memory?

Be aware that the automated “Fix this problem” button on the KB will do the disable QT workaround.  So, if you deal with a lot of QT media, you may want to use one of the other workarounds.

Update: I tried the registry workaround on Vista, and the “Fix this problem” button does not work because the key doesn’t exist. So, I’m not sure why they are telling “all customers” to implement a workaround. Perhaps they mean “all Windows XP and Windows 2003 customers”?


Sorry, the comment form is closed at this time.

%d bloggers like this: