 |
 |
| ActiveWin | Anonymous | Create a User | Reviews | News | Forums | Advertise | VBA in Excel | Users Online: 0 |
|
|
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
Active Network |
|
ActiveMac |
|
ActiveWin |
|
ActiveXbox |
|
DirectX |
|
Downloads |
|
FAQs |
|
Interviews |
|
MS Games & Hardware |
|
Reviews |
|
Rocky Bytes |
|
Support Center |
|
TopTechTips |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows Vista |
|
Windows XP |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
Apple/Mac |
|
Xbox/Xbox 360 |
|
News Search |
|
XML/RSS Newsfeeds |
|
Pocket PC Site |
|
|
|
|
|
|
|
FAQ's |
|
Windows Vista |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows XP |
|
Windows 7 |
|
Windows 8 |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox 360 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
Latest Reviews |
|
Xbox/Games |
|
Fable 2 |
|
|
|
Applications |
|
Windows Server 2008 R2 |
|
Windows 7 |
|
Adobe CS5 Master Collection |
|
|
|
Hardware |
|
Microsoft Express Mouse |
|
|
|
|
|
|
|
Latest Interviews |
|
Mike Swanson |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Advertise |
|
Affiliates |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
 |
Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669) | |
|
||
| Time: 10:51 EST/15:51 GMT | News Source: Microsoft | Posted By: Todd Richardson | ||
|
Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer. |
||
|
Read Only Comments Return to News |
Displaying Comments 1 through 3 of 3 |
This is an archived static copy of ActiveWin.com. |
| #1 By 23275 (68.17.42.38) at Friday, July 02, 2004 01:38:11 PM |
|
The patch that is now available has been tested and deployed on XP, W2K and W2K3 systems and does not require a restart.
A direct download for any system struggling with WU is located here, http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-B7C8-2FBFD0D237E3&DisplayLang=en |
| #2 By 23275 (68.17.42.38) at Saturday, July 03, 2004 11:54:19 AM |
|
Oh Boy....
Look, ActiveX is just a COM Client. It is one [and I think good] method of remote invocation [it was designed to allow for code validation and signing]. Any method of RMI - CORBA, Java RMI, DCOM, etc... has its vulnerabilities - a lot of them. If you think ActiveX is bad...well, please look at SUN RPC on 111 before you comment or the comments opposite Mozilla, which is a huge part of Firefox... The update provided yesterday adjusts how such remoting is handled within the LMZ on a system. It is very similar to the many changes made opposite the handling of ActiveX coontrols [COM Cliency] in XP SP2 and W2K3, its SP1 and later, its R2. Two things, 1) Set up whatever profile/configuration you like in W2K and XP - once set up, create a new user with limited rights on the LMZ. Copy the profile you created over the new limited user; verify that the new user is restricted and run as that user, only. If you need to install SW, use the "RUN AS" option - in other words, control your machine and take ownership of it. Either that, or use RUN AS each time you want to install SW and simply run as a restricted user - or wait around for MS to hold your hand and release SP2... 2) Look real hard at just how bad Mozilla and Forefox are from a security standpoint - for that matter, Minuces and Linuces, too and at just how many are rooted to the hilt - it is a lot easier than you think - particularly since the source is open and essentially always has been. The USNSA has warned all in Govt. about this for years, and even released its own hardened version to offset native vulnerabilities. The truth is, MS writes the most secure code available -despite the noise we all hear. I will say only this...there are a great number of professionals very glad that so many blindly put their faith is such systems. Thanks for the ear. |
| #3 By 23275 (68.17.42.38) at Saturday, July 03, 2004 07:42:30 PM |
|
Hi, #20...not complicated at all. The reality is that MS has sought to make running a powerful multi-purpose/multi-user computer [indeed computing environment], very easy - the process is referred to as producing "Discoverable" software, or software that is intuitive enough to use that known start points and known end points are easily discoverable and supported by task based interfaces. That is all well and good and as it should be; however, modern system, which face the public networks and Internet are production systems. Such systems require the same care as any production system and very likely more.
The choices are two - either run as a restricted user after having set your system up, and limit access [in and out-bound] to only those ports needed, or run as essentially root and take your chances. Very obviously, most people are not going to accept even modest inconveniences - they'll run wide open as the administrator/root. So, MS will address most of it for them and soon add NX technologies that negate both buffer an stack over-flow vulnerabilities. Criminals will then go back to where they once pretty much stayed - the Unices, Minuces and now, Linuces - BTW, they laugh their tails off at all the well intentioned, but under-trained advocates of OSS - most are setting up very nice sources for them... We...we'll just keep doing what we do, and make it very hard on them. If you all knew the truth - the real truth, you'd know just how good MS has been and is, and also just how wrong many others are. Anyone remember when Mozilla tried to get rid of all Operating Systems and departed from standards? That BTW, is what killed Netscape, not IE and not MS. Thanks for the ear. |
