Serious IE Defect Reported...comments?

Found this at another, less knowledgeable forum. Not sure if it should be taken seriously, or not.

 

 
 
I am perhaps more cavalier about these security exploits than most. Having never had a virus and gone many years without any antivirus, I tend to take these things less seriously than most (I do scan from time to time now).

At least the writer had the good sense to avoid printing details on the exploit. Doing so is always a two-edged sword since people who would use these things maliciously get information on possible exploits of which they may have been unaware. Unfortunately, his lack of details makes his entire article say little more than "There is a danger so be careful. "

So--I would advise due care. The software available at www.bigfix.com seems to have security updates available before Windows Update does, and sometimes finds updates that are never shown at WU. It can, of course, be configured so that it doesn't start at logon and can be run at will.

To be on the safe side, disable the preview pane in OE, set security to Restricted Sites (the default), and never open suspicious emails or attachments. Always back up anything you don't want to lose, keep your AV up to date, and don't lose any sleep over it.

Those who constantly complain about security flaws in MS products have not read Dostoyevsky and have a poor understanding of the criminal mind. Nothing in this Universe is foolproof to the right kind of fool.

 

I can find no mention of this vulnerability on other sites. It sounds a little like the OE S/MIME Parsing issue - but that's old news and a patch is now available.

The important thing to remember is that most of these theoretical exploits are never actually exploited! Browse Bugtraq and you'll find details of recent vulnerabilities in Opera, Linksys routers, Eudora, etc, etc, etc, etc. You'd probably struggle, however, to find somebody who has actually "hit" with any of these exploits!

Abraxas is quite right - apply a degree of common sense and keep your software up-to-date and you'll be reasonably safe!

 

Edit

I initially posted a link to a page which fully detailed this exploit (which does exist and which is rather nasty). However, as the page also included the malicious script itself, I have deleted the link.

It would appear that (currently) the only sure way to protect against this exploit is to either completely disable scripting in IE or to install some form of script control (and I'm not sure whether or not the latter actually would be effective).