The Register has a story on a new security hole in Microsoft's Internet Explorer browser and IIS web server. The security hole could let an attacker run code on any machine using IE or IIS, but what's particularly scary about this one is that systems up to date with the latest patches may not be safe.
Normally, when an ActiveX control is vulnerable to an attack, Microsoft's patch merely delivers a new, invulnerable control and sets a "Kill Bit" on the old one. Controls with set Kill Bits cannot be invoked by Internet Explorer. However, in this case it is not possible to set the Kill Bit without rendering countless web sites unreadable, Microsoft said.Microsoft is working on a permanent fix, but what's their suggested solution for now? Remove "Microsoft" from your browser's list of trusted sites. Trustworthy computing indeed.
A malicious attacker would be able to reintroduce the vulnerable control with just a specially HTML document. Users that have their browsers configured to trust Microsoft-signed ActiveX controls by default would have the vulnerability reintroduced without their knowledge.
|Kinesis' Freestyle Edge ergonomic gaming keyboard reviewed||17|
|PSA: we'll be performing scheduled maintenance on the site tomorrow||16|
|Black Friday deals: everything your heart desires||5|
|Peruse our picks from the 2017 Steam Autumn Sale||12|
|Gigabyte X299 Aorus Gaming 7 Pro flexes its Intersil VRM muscles||1|
|Cranberry Relish Day Shortbread||9|
|FSP CMT-series cases keep it clear and simple||6|
|Wednesday deals: sweet displays, a $150 Ryzen 5 1500X, and more||18|
|MSI Optix MAG24C gaming monitor offers a lot of color for a little cash||16|