Darn if you do Darn if you don't.

From: Castigliola, Angelo (ACastigliola_at_UNUMPROVIDENT.COM)
Date: 10/06/04

  • Next message: NGSSoftware Insight Security Research: "Patch available for critical IBM DB2 Universal Database flaws"
    Date:         Wed, 6 Oct 2004 12:58:15 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Like most large organizations when a new service pack is released it
    needs to go though rigorous testing before it is deployed to the
    enterprise. As we all have seen on other mailing lists the problems that
    administrators face when making the jump to XP SP2 without environment
    testing first. However sticking with XP SP 1 until the time is right to
    deploy XP SP2 is starting to show its negative side.
     
    Two Days ago it was reported on another list that the web site
    http://themexp.org <http://themexp.org> was able to load spyware onto a
    fully patched XP SP2 running Internet Explorer SP1 with no user
    interaction. This is false. XP SP2 running IE SP1 will prompt a user
    with a security alert letting them know that the site they are visiting
    is trying to load software onto their computer.
     
    However, if you are running XP SP1 with Internet Explorer SP1 you are no
    so lucky. I have tested XP SP1 running Internet Explorer SP1 repeatedly
    and there is no practical fix. These test machines were patched with
    _ALL_ Microsoft Updates that allow spyware from installing itself on to
    a computer like this.
     
    http://support.microsoft.com/default.aspx?scid=kb;en-us;814078
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;814078>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;816093
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;816093>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;823182
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;823182>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;825119
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;825119>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;832894
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;832894>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;835732>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;840374
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;840374>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;840315
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;840315>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;839645
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;839645>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;867801
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;867801>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;833987
     
    My questions to the forum is: Are computers running SP1 hopelessly at
    the mercy of websites like http://themexp.org <http://themexp.org/>
    that choose to distribute spyware? Why would Microsoft plug up a hole in
    Internet Explorer SP1 with XP SP2 and not provide a Microsoft Update for
    large organizations still operating on XP SP1 because of the fact that
    XP SP2 was released only 2 months ago from today?
     
    There should be a Microsoft Update to stop spyware from loading onto a
    computer like this on XP SP1 and there is not.
     
    Angelo Castigliola III
    Operations Technical Analyst I
    UnumProvident IT Services
    207.575.3820
     

    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: NGSSoftware Insight Security Research: "Patch available for critical IBM DB2 Universal Database flaws"