Monthly Security Release Includes Critical IE Patch
On Tuesday, Microsoft issued fixes for 14 software flaws in five separate security bulletins Tuesday as part of its regularly scheduled monthly security patch release. The most important patch of the bunch fixes a widely publicized Microsoft Internet Explorer (IE) exploit that has been victimizing users for weeks. In total, 9 of the flaws were rated as critical by the software giant so users should install the patches as soon as possible.
The IE patch MS06-13 fixes several bugs but the most notable is the so called create TextRange bug which hackers first exploited last month. This bug was considered so severe that several security vendors including Determina and eEye Digital Security actually released their own patches ahead of Microsoft. Previously, Microsoft had described only a workaround for the flaw in which the user could disable IE's Active Scripting feature.
IE detractors will note that MS06.13 fixes a total of 10 software flaws in the much maligned Web browser you'll see a separate but related patch for a flaw that tricks Windows Explorer IE's cousin in the Windows shell into browsing malicious remote servers MS06-13 also includes a design change that alters the way IE interacts with ActiveX controls. Microsoft made this change to adhere to a ruling in the Eolas Technologies patent case.
Some hope that IE 7 due in late 2006 for Windows XP and also shipping as part of Windows Vista will turn around IE's long lasting security ills. However, only the Vista version of IE 7 will include the most dramatic security gains thanks to its integration with low level Vista specific security features.
Yesterday I linked to Fred Pullen's download of the Windows Vista Product Guide. According to Pullen, he's had to pull (ahem) the download. Although we had permission from one of its sponsors to post the Windows Vista Product Guide to the TS2 Community Site; it isn't quite ready for public consumption so I was asked to remove the link he notes in his blog. If you were lucky enough to download the sneak peek preview enjoy. We'll provide access to the guide after it becomes publicly available.
The IE patch, MS06-13, fixes several bugs, but the most notable is the so-called "TextRange()," which hackers first exploited last month. This bug was considered so severe that several security vendors, including Determina and eEye Digital Security, actually released their own patches ahead of Microsoft. Previously, Microsoft had described only a workaround for the flaw, in which the user could disable IE's Active Scripting feature.