12-4-02

Cumulative Patch for Internet Explorer 5.5 & 6.0 (Q324929) is available at...

http://www.microsoft.com/windows/ie/downloads/critical/q324929/default.asp

NOTE: Windows update site has been buggy of late. It may tell you you're up-to-date when you're not. Also, it may reinstall updates that you already have.

Hopefully, M$ will fix this soon, or they may have already done so.

aloha.........bellgamin

Two Facts...

#1 - M$ has now upgraded the fixes in this patch from *Moderate* to *Critical.* [Of course, it was critical all along but public outcry has forced M$ to at last admit it.]

#2 - The fact that Q324929 is a cumulative patch means you are able to catch up on any and all security patches that you may have missed in the past.

aloha........bellgamin
~~~~~~~~~

In case of emergency...
1) Pick up your hat
2) Grab your coat
3) Leave your worries on the doorstep
4) Just direct your feet to the sunny side of the street.
:D ;) :p :rolleyes:

Got to love their honesty......

In other news, Microsoft is now admitting that this is a downgrade, as all 'upgrades' to their products are, and the real upgrade can be found here (http://www.mozilla.org) along with a lack of security issues and the ever-useful tabbed browsing :P

I hear you, Rodzilla.

I am not a fan of M$ or IE. However, Mozilla has its own security problems. To wit...

BUG ID Product Component Summary
88183 Browser Plug-ins navigator.plugins leaks path names
104472 Browser Security execution of scripts in the file: protocol from
XUL using cgi
125583 Browser Security Disable automatic XLinks in Mail
135267 Browser Security Reading files cross-host using styles
144228 MailNews Security Malicious email breaks POP server connection
146094 Browser Networking Stealing third-party cookies through a proxy
147754 Browser Security XMLSerializer needs same-origin check
148256 Browser XML flawfinder warnings in XML Extras
148269 NSS Libraries flawfinder warnings in mozilla/security
148520 Browser Password Manager window.prompt is returning a saved password
instead of prompting.
149777 Browser Security Node cloned from external, untrusted document and
appended to chrome document.
149943 Browser Security Princeton-like exploit may be possible
150339 Browser Internationalization huge font crashes X Windows
151933 Browser XML xml:base should not allow setting chrome URLs
152697 Browser Networking no limit on the size of a HTTP header
152725 Browser Cookies Possible cookie stealing using javascript: URLs
154030 Browser Security HTML directory indexer doesn't html-escape url
154240 PSM Client Libraries No warning when redirecting https-http-https
at http protocol level
154930 Browser Security document.domain abused to access hosts behind
firewall
155222 Browser Security Heap corruption in PNG library
157202 Browser Security Exploitable (?) heap overrun in PNG
157652 Browser JavaScript Engine Crash, possible heap corruption in JS
Array.prototype.sort
157845 Browser DOM Events Crash involving document.open()
157989 Browser ImageLib Possible heap corruption with 0-width GIF
161721 Browser Installer install in onkeypress for space key bypasses
warning dialog

See also...
http://www.internetnews.com/dev-news/article.php/10792_1495711
http://www.internetnews.com/dev-news/print.php/1495711

OR, if you like chat & flame stuff, go to...
http://www.sciforums.com/archive/25/2002/08/4/7307

Phoenix is the great dawn-star as far as the gecko engine is concerned I think. Not Mozilla.

Moreover, IMHO, it is Opera 7-beta that has become the standard for IE, Mozilla, Phoenix, et alia to aspire to.

Just my $.02 worth.......bellgamin

And how many of those have been exploited?

How fast will they be fixed, in comparison with IE?

:P

Rodzilla -- you are sooooo right!!

It's a bloody shame, too. Why? Because the IE engine itself is pretty good, when stripped of all the bloat, & eye candy, & proprietary garbage that M$ hides therein.

Witness the many tabbed browsers that are being built nowadays around the IE engine. Crazy Browser & Avant browser, to name just a couple.

Actually, my favorite browser right now is a Singapore-special called MyIE2, which is built on the IE engine & is just about as fast as Opera 7-beta. Security is NOT a problem with MyIE2 because...

1) I have disabled most of the IE holes by using [e.g.] socklock, htastop, bhodemon. There is ZERO overhead to these tiny, one-shot proggies. You run them once, which kills the holes, and delete them.
2) Secondly, I surf with Internet Security set at High++, & Trusted Zone set at Low. This set-up let's me use the IE engine [but NOT IE itself] & still be reasonably safe. The *inconvenience* of rigidly using the High++ setting is offset by using Jason's Trust Setter, a truly superb teeny program that let's me easily add & remove sites between the Internet, Trusted, and Restricted zones.

I tested the above set-up at some REALLY baaaad sites. MyIE2 stayed the course. Phoenix & Opera & OffByOne all three crumbled at those same sites, & only my AT + Firewall + SSM saved my computer's chastity. I have no idea how Mozilla would have fared.

Peace to all..............bellgamin

I imagine web surfing as reading the newspaper in the morning: pleasant music, two croissants, and a glass of Pepsi … haven :) .
You make it sound like guerilla warfare:
1 M4A1, two proximity grenades, Kevlar, combat knife, gas mask, etc. :bomb: :chainsaw: :angry:

I have Opera for browsing and Netscape and IE for testing for my clients.
If a website is bad on Opera … There is Google to find another one. They don’t want me … I don’t want them. No fighting, no small programs to download.

I imagine web surfing as reading the newspaper in the morning: pleasant music, two croissants, and a glass of Pepsi … haven .
You make it sound like guerilla warfare:

Ho-ho-ho. Good schtick! :D

It's interesting, actually. I have a couple of websites where I do Bible studies & humor & sweet/lovely poems of one sort or another. Every page of these sites carries one of my several email addresses because I also do counseling & seek to render comfort & try to answer questions.

Like Ivory soap, 99.44% of the email I get is from nice people [it floats]. However, there IS that 0.56 of 1% that wants to present me with cyber goodies that seek to inflict metastisizing masses of carcinogens in my computer's nethermost sphincter. Most of those trace-back to areas in the world where the last thing one would expect to find are folks who: (1) can read & write English, and (2) visit websites that are Judeo-Christian-religious in nature.

In point of fact the email attempts are mostly pathetic & ludicrous script-kiddie attempts -- almost funny. They are not my main problem. It's the rampant pingers & steady drum of connection attempts that have caused me so much headaches that I dare not use broadband, & must re-dial my dial-up ~every hour or so [to switch IP's, of course] because of the deluge of probes that hit certain ports after I am on for a while.

It must be my *winning personality*

aloha.......bellgamin :karate:

There is a critical security hole in versions prior to 3809 for the Windows Virtual Machine that handles Java. M$ put a patch online on 12/11/02.

To see if you need this patch...
1) Do run -> command.

2) At the prompt, type "Jview" without the quotation marks.

3) If you get an error, NO sweat. If you see that you already have VM build 3809, NO sweat. Otherwise, you had better DL&I the patch.

4) To get the patch, go to windows update site...

http://windowsupdate.microsoft.com/

The update site is incredibly sloooow at times. No help for it but to keep trying.

The site is also buggy at times. If the update site says you do not need an update, but you know that you DO, let me know & I'll tell you a work around that took care of that problem for me.

shaloha.......bellgamin