Important - IE VML Vulnerability - IE7 is immune

Internet Explorer 7 is immune to this vulnerability (just like it has been immune to virtually all the other vulnerabilities that have been announced).  I strongly recommend that you update to the IE7 Release Candidate as soon as possible.

To quote the IE team themselves back in August "...With the exception of a very short list of issues we’re aware of and working on, we think the product is done.... Depending on your feedback, we ***may*** [my emphasis] post another release candidate. We’re still on track to ship the final IE7 release in the 4th calendar quarter." 

Please, don't hold off installing IE7 for these last few months just because IE7 is still "in beta".  Read the RELEASE NOTES and make a judgment call based on the software that you run.

If you have problems, there is this blog, and the support newsgroups available to you.  It should be noted that HP Director software will have problems (but a workaround has been posted to the newsgroups) and Norton software is problematic (frankly, IE7 RC1 will protect you from exploits far better than Norton - if given a choice between the two, I say go for IE7 and move to a different antivirus). 

To be extra careful, you can search the general Internet Explorer newsgroup for mention of your software to see if others are having problems.

Of course there will be situations where you cannot install IE7 because there is an application that you know will break.  But, in circumstances like this, where you will protect your machines not only from the vast majority of exploits, but in all likelihood future vulnerabilities (which is a *major* security benefit) we should assess the situation on a per site basis and make a decision.  Test things out.

Screenshot of results of Zert test page using IE7RC1 on XPSP2:

Internet Explorer 7 on Windows Vista Ultimate (unlike Ed Bott I did not see any ActiveX prompts):
 

To recap:

A patch is anticipated by October 10, but may be released earlier (see 2nd Security Centre blog entry listed below) 

Information about IE VML vulnerability posted at MS.

http://www.microsoft.com/technet/security/advisory/925568.mspx
http://support.microsoft.com/kb/925568

Jesper has also posted information about how to mitigate the threat as well:

http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx

Microsoft Security Response Centre blog:
http://blogs.technet.com/msrc/archive/2006/09/19/457560.aspx
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx

 

Published Sat, Sep 23 2006 9:47 by sandi
Filed under:

Comments

# re: Important - IE VML Vulnerability - IE7 is immune

Saturday, September 23, 2006 12:14 AM by sandi
Ed Bott tests IE7 on Vista against the exploit: http://blogs.zdnet.com/Bott/?p=141

# re: Important - IE VML Vulnerability - IE7 is immune

Saturday, September 23, 2006 5:49 PM by Ike Bottema
Are there any blogs that compare IE7 to FF? I'd be interested to know how IE7 stacks up against FF. That asked, perhaps the advice to upgrade is irrespective of whether FF is used for browsing. I understand certain IE functions are ingrained in the OS and the recommendation may be independent of which browser is used. Comments?

# » IE7 Immune to VML Exploit || Tech News and Tips from Tipsdr.com ||

Monday, September 25, 2006 11:59 PM by » IE7 Immune to VML Exploit || Tech News and Tips from Tipsdr.com ||
PingBack from http://www.tipsdr.com/?p=391