03.29.06
Do NOT Use Internet Explorer…For Now, At the Very Least
In case you haven’t heard, there is a grievous “Extremely Critical” security hole that affects IE 5, IE 6, and IE 7 betas prior to Beta 2 (just released concurrently with the MIX06 conference). This one is not something to be trifled with. If you are a regular IE user you are taking your life into your own hands and should immediately switch to Firefox for the time being, or at least consider one of the stop-gaps below. If you’re curious, here’s the relevant post at the Microsoft Security Response Center Blog.
The problem is with an IE-only JScript/JavaScript thing called createTextRange. The security hole permits evil bastards and their feckless henchmen to easily install keystroke capture programs and, oh, anything they want directly to your computer. No muss, no fuss — just living hell for you.
Since the bug was revealed late last week, hundreds of (obviously) disreputable sites are reported to have modified their code to take advantage of the security hole and install Evil Shit ™ to people’s computers. Microsoft says they are actively targetting such sites with legal action and what all to get them shut down or whatever, but no matter how dilligent they’re actually able to be it’s inevitably like bailing the Titanic with a teaspoon.
There are a couple 3rd-party (non official!!) fixes floating around out there, but latest word from Microsoft is they will likely not release a bug fix until April 11 — a full two weeks away. Be advised that using 3rd-party fixes may not quite plug the hole, can cause other unforeseen problems, and/or cause tomcat urine to magically appear all over your leg. Or they may totally do the trick. For their part, Microsoft warns “Some of these [3rd-party] solutions make modifications to Windows itself to bypass the attack vector of the vulnerability.” Anyway, caveat emptor, yo.
If you insist on using IE anyway, for godz sakes at least wade through IE’s Options and disable “Active Scripting” (aka JavaScript). That’s Tools > Internet Options > Security tab > Custom Level button > and scroll down almost to the bottom under Scripting and set Active Scripting to “Disable”. While you’re there, and just below that, set Allow Paste Operations Via Script to “Prompt” (if not “Disable”). You should prolly also scroll all the way to the top again and get paranoid with those ActiveX settings. OH, and definitely disable Java in IE for now. Once you’re done, click Apply, then click OK, and click OK again when you’re back to the Security tab. Whew! Oh yeah…then cross your fingers and wait two weeks for the fix.
Um…or just use Firefox in the meantime.
Oh yeah, and there’s a couple other major security holes in IE that were recently revealed, too. One of them involves how IE interacts with Java, and another involves what are called HTAs — MS-proprietary “HTML applications” that have full privileges on the box running them.
Man, coming hot on the heels of the Vista postponement and resulting shake-up of high-mucketies, this has been a bad couple weeks for Microsoft.
Dan said,
March 29, 2006 at 8:57 pm
Unfortunately, that same April 11 release will also unleash Microsoft’s Eolas-patent-avoidance workaround, which will cause the entire edifice of Flash and streaming interactive media to come crashing down upon me, as every client we’ve ever served comes knocking to learn how, exactly, we plan on fixing their now-munged sites. Kramdar help us.
Spencer said,
March 29, 2006 at 9:09 pm
Kramdar! Kramdar! Why have you foresaken us?!
BTW Dan, we all missed you at the Whybark/Perez Fiesta. Hope you’re doing well. Oh wait…Kramdar has foresaken you. Clearly you’re not doing well. Um…
Dan said,
March 29, 2006 at 9:26 pm
I had planned to attend, but workload at my newly bemerged company demanded I spend nine straight hours on Saturday writing functional specifications, a rousing adventure for all involved. Perhaps the League will convene upon our fair city’s Northern Gate once more.
Spencer said,
March 31, 2006 at 7:41 pm
Ew…what a way to spend a Saturday. Sorry to hear it.
Speaking of the League, I believe a new member was inducted — tho I don’t rightly recall if he accepted the invitation — namely, Mike’s buddy Greg, formerly of the Bare Knuckle Boxers. A fine fellow.