Bugtraq mailing list archives

RE: MS 3/28/02 Security Patch for IE6 - warning!

From: Eric <ews () tellurian net>
Date: Tue, 02 Apr 2002 22:14:23 -0800

Theregister was running the script locally - in the myComputer zone. Ifyou host the malicious html on a webpage, etc. then the patch does indeedprevent the execution of code.


At 12:51 AM 4/3/2002 +0200, Thor Larholm wrote:

Further, the patch doesn't seem to work completely:

http://www.theregister.co.uk/content/4/24667.html

Though, in other cases, it works better than expected:

http://jscript.dk/unpatched/N280302-01.html

A revision of the patch may be in place.

Regards
Thor Larholm
Jubii A/S - Internet Programmer

-----Original Message-----
From: Phil Dibowitz [mailto:webmaster () ipom com]
Sent: 2. april 2002 20:44
To: bugtraq () securityfocus com
Subject: MS 3/28/02 Security Patch for IE6 - warning!


BugTraq'ers,

I usually consider this list a bit over my head, and don't post, just read.
I'm
not totally sure this is on-topic, but I think it is. =)

The MS Security Patch for IE6:

----------------
Security Update, March 28, 2002 (Internet Explorer 6)
2456 KB/ Download Time: < 1 min The "28 March 2002 Cumulative Patch for
Internet
Explorer" update eliminates all previously addressed security
vulnerabilities
affecting Internet Explorer 6, as well as two new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-015. Download now to protect
your
computer from these vulnerabilities, the most serious of which could allow a

malicious user to run code on your computer.
----------------
(That's directly from the MS Windows Update Site)

Seems to be pretty buggy. It trashed a Win2K machine of mine yesterday.
After
installing, I rebooted and shortly after lost my network connection... then
I
was unable to get into 'Network and Dialup Connections' or 'Add/Remove
programs.' I tried recovery from 'Safe Mode' and 'Last known good
configuration'
options at boot, but I had the same problems in both modes. Doing a
'recovery'
from CD didn't fix it either. As a last resort I chose to do an 'upgrade'
from
CD which downgraded IE6 to IE5 fixing the problem. I was then able to patch
up
to the latest IE MINUS that patch.

A friend mine also had a very similar experience with the patch. I'm curious
to
know if others have the same problem, and I also wanted to warn people.

Phil
--
Insanity Palace of Metallica
http://www.ipom.com
webmaster () ipom com
--

Current thread:

MS 3/28/02 Security Patch for IE6 - warning! Phil Dibowitz (Apr 02)
- <Possible follow-ups>
- RE: MS 3/28/02 Security Patch for IE6 - warning! Thor Larholm (Apr 02)
  - RE: MS 3/28/02 Security Patch for IE6 - warning! Eric (Apr 03)
    - RE: MS 3/28/02 Security Patch for IE6 - warning! the Pull (Apr 03)