IE 5.01SP2 and security fixes

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 03/05/02


Date:         Tue, 5 Mar 2002 15:25:54 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I received numerous questions regarding MS02-005 and IE 5.01SP2 and
operating systems other than Windows 2000 (e.g. NT 4.0, WinME, Win9x).

The patches available do not cover IE 5.01 on any platform other than
Windows 2000.

Microsoft has a standard policy of supporting the current version, and I
thought, one major version previous. To me that meant IE 6.0 and IE 5.x,
with IE 5.01 and IE 5.5 being supported. Seems I was incorrect, and the
IE team see IE 5.5 as the oldest version **except** wrt Windows 2000
(since W2K ships with IE 5.0x).

So, unless you are running W2K, it looks like you must upgrade IE to 5.5
or 6.0 to maintain support for security issues. There's a hint there may
be an NT 4.0 version of this patch for IE 5.01SP2 some time in the
future, but that hasn't been confirmed. We'll keep our eyes open.

Of course in upgrading you also subject yourself to the threat of the
WebBrowser control problem that allows execution of any program on your
system (see GreyMagic Security Advisory GM#001-IE from last week). This
is also referred to as the Pop-Up vulnerability reported back in January
by The Pull. IE 5.01 systems aren't vulnerable to this, as yet unfixed,
issue.

So, you could say, damned if you do damned if you don't. I'd say the
threats posed by the vulnerabilities patched by MS02-005 currently
outweigh the threat posed by the as yet unfixed WebBrowser control
vulnerability (but this assessment could change, unfortunately!)

Cheers,
Russ - NTBugtraq Editor



Relevant Pages

  • Re: Is Windows 98 SE More Secure Than OS X?
    ... Apple then patches what is ... point out a vulnerability in a specific software. ... security holes that are marked "Extreme Criticality" by Secunia. ... in Windows even if it was NEVER exploited. ...
    (comp.sys.mac.advocacy)
  • Re: Ridding yourself of FTP malware
    ... > frequently installed by various different kinds of malware. ... > but any vulnerability that allowed the ... > If you don't apply the patches, there's not much more we can do. ... > certainly can't force all the machines running Windows to load a particular ...
    (microsoft.public.security)
  • FW: [Unpatched] 4 new Microsoft patches, 4 old updated, 24 vulnerabilities
    ... In addition to releasing 4 new patches today (see previous post on ... MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary Code ... 4 new Microsoft patches to close 20 vulnerabilities ... software ranges from Windows 98 to Windows 2003 64-Bit Edition. ...
    (Bugtraq)
  • [Full-Disclosure] 4 new Microsoft patches to close 20 vulnerabilities
    ... these patches an impact of "Remote Code Execution" and the affected ... software ranges from Windows 98 to Windows 2003 64-Bit Edition. ... If you use Windows you will have to patch, ... will see a wide range of vulnerability advisories and exploit releases. ...
    (Full-Disclosure)
  • SecurityFocus Microsoft Newsletter #163
    ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
    (Focus-Microsoft)