The Register has a story on a new security hole in Microsoft's Internet Explorer browser and IIS web server. The security hole could let an attacker run code on any machine using IE or IIS, but what's particularly scary about this one is that systems up to date with the latest patches may not be safe.
Normally, when an ActiveX control is vulnerable to an attack, Microsoft's patch merely delivers a new, invulnerable control and sets a "Kill Bit" on the old one. Controls with set Kill Bits cannot be invoked by Internet Explorer. However, in this case it is not possible to set the Kill Bit without rendering countless web sites unreadable, Microsoft said.Microsoft is working on a permanent fix, but what's their suggested solution for now? Remove "Microsoft" from your browser's list of trusted sites. Trustworthy computing indeed.
A malicious attacker would be able to reintroduce the vulnerable control with just a specially HTML document. Users that have their browsers configured to trust Microsoft-signed ActiveX controls by default would have the vulnerability reintroduced without their knowledge.
|Aerocool starts Project 7 with a flurry of case and cooling gear||3|
|NTFS filesystem bug could crash Windows 7, 8, and 8.1||7|
|Enermax NeoChanger is both a pump and a reservoir||3|
|Acer sprinkles the Iconia Tab 10 with quantum dots||6|
|Deals of the week: lots of motherboards and a cheap GTX 1080||18|
|MSI Vortex G25VR, Infinite-A, and Pro 20EX PCs fill all niches||1|
|Nvidia unveils the GeForce GTX Battlebox certification program||25|
|Acer Spin 1 and Nitro 5 laptops are ready for school season||13|
|Ryzen AGESA 220.127.116.11 exposes more memory overclocking options||55|