IE 5.01SP2 and security fixes

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 03/05/02


Date:         Tue, 5 Mar 2002 15:25:54 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I received numerous questions regarding MS02-005 and IE 5.01SP2 and
operating systems other than Windows 2000 (e.g. NT 4.0, WinME, Win9x).

The patches available do not cover IE 5.01 on any platform other than
Windows 2000.

Microsoft has a standard policy of supporting the current version, and I
thought, one major version previous. To me that meant IE 6.0 and IE 5.x,
with IE 5.01 and IE 5.5 being supported. Seems I was incorrect, and the
IE team see IE 5.5 as the oldest version **except** wrt Windows 2000
(since W2K ships with IE 5.0x).

So, unless you are running W2K, it looks like you must upgrade IE to 5.5
or 6.0 to maintain support for security issues. There's a hint there may
be an NT 4.0 version of this patch for IE 5.01SP2 some time in the
future, but that hasn't been confirmed. We'll keep our eyes open.

Of course in upgrading you also subject yourself to the threat of the
WebBrowser control problem that allows execution of any program on your
system (see GreyMagic Security Advisory GM#001-IE from last week). This
is also referred to as the Pop-Up vulnerability reported back in January
by The Pull. IE 5.01 systems aren't vulnerable to this, as yet unfixed,
issue.

So, you could say, damned if you do damned if you don't. I'd say the
threats posed by the vulnerabilities patched by MS02-005 currently
outweigh the threat posed by the as yet unfixed WebBrowser control
vulnerability (but this assessment could change, unfortunately!)

Cheers,
Russ - NTBugtraq Editor