back to article Microsoft emergency fix kills bugs in IE, Visual Studio

Microsoft issued two emergency updates on Tuesday to fix critical security bugs that leave users of Internet Explorer and an untold number of third-party applications vulnerable to remote attacks that completely commandeer their computers. Most of the vulnerabilities are located in Microsoft's ATL, or Active Template Library, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Happy

    Ah, the good ol' days return

    It is both reassuring and (slightly) amusing that Microsoft considers (in this COM and .Net ridden time) that the good old flowchart is the clearest and easiest way to ask yourself a few questions and determine if some code is affected by the KillBit bug being patched - nice one Redmond, glad to see sense for once prevailing :-)

    If only the rest of your gang could see how to use technology sensibly and appropriately 8~| it could do wonders for your users, future products and OSes.

    The page I'm referring to is this one

    http://msdn.microsoft.com/en-us/ee309358.aspx

  2. WinHatter
    Grenade

    M$ $ecurity

    Like installing a .NET Firefox plugin that brings the IE InsEcurity to the Fox. (installed by the .NET framwork 3.5)

    Plugin that cannot be uninstalled.

    I bet they did not kill this one.

  3. Anonymous Coward
    Black Helicopters

    Tea?

    Cup of tea anyone?

  4. Anonymous Coward
    Badgers

    @WinHatter

    Have you by chance been at the Mercury again?

  5. Anonymous Coward
    Unhappy

    Well thank you Microsoft

    Looking forward to the updated fix to fix the bugs in the earlier fix. Wouldn't it be easier if you just stopped using activex?

  6. The BigYin
    Thumb Down

    @WinHater

    That is the fault of FF I am afraid. Why did it let something get installed without explicit user consent? That is a MASSIVE security hole.

    And this plug-in is for all users - so it should have demanded explicit consent from and Admin user.

    Oh, wait, I forget; Windows user almost always run as Admin.

  7. Anonymous Coward
    FAIL

    Microsoft...

    security by complete accident

  8. CD001

    @WinHatter

    ----

    Plugin that cannot be uninstalled.

    ----

    Yes it can, MS released a patch that enabled you to uninstall (rather than just disable) that plug months ago - please try to keep up.

    Granted, putting it on there in the first place was shonky as hell behaviour but that's a different issue entirely.

  9. Ken Hagan Gold badge

    Related vulnerabilities

    "If you're using an ActiveX control that loads in an application other than IE, there's still the very real possibility that it has been poisoned by Microsoft's ATL and isn't fixed by these updates, said Ryan Smith, one of the researchers who discovered the killbit-override bug."

    Sort of... If you are using an ActiveX control that used the previous version of ATL, then both you and IE are vulnerable until the author fixes that ActiveX control. In mitigation, the exploit code has to be already on your machine in order for it to be executed, unless the container application will happily download code from arbitrary locations and run that.

    And only a complete muppet would design anything like *that*.

This topic is closed for new posts.

Other stories you might like