Spyware Sucks : Internet Explorer 7, Security, safety and privacy on the Internet

The April Security Updates have been released by Microsoft

sandi — Wed, 09 Apr 2008 00:42:00 GMT

Details here:
http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx

The Cumulative Security Update for Internet Explorer is also available - details here:
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx

Note that this month's cumulative update includes the IE Automatic Component Activation (IE ACA) update (which means no more "click to activate" prompts). The update replaces the previews released in December 2007 and February 2008.

More information about the IE ACA can be found here:
http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx

Also, an IE8 Beta 1 For Developers is now available in Chinese (Simplified) and German:

Chinese (simplified) http://www.microsoft.com/china/windows/products/winfamily/ie/ie8/getitnow.mspx
German http://www.microsoft.com/germany/windows/products/winfamily/ie/ie8/getitnow.mspx

Microsoft Security Bulletin Advance Notification for February 2008

sandi — Fri, 08 Feb 2008 22:56:00 GMT

12 patches, including a critical patch for Internet Explorer:
http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx

Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure

sandi — Tue, 04 Dec 2007 10:36:00 GMT

Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

Source: http://www.microsoft.com/technet/security/advisory/945713.mspx

Developing Safer ActiveX Controls Using the Sitelock TemplateDeveloping Safer ActiveX Controls Using the Sitelock Template

sandi — Wed, 19 Sep 2007 00:01:00 GMT

The IE team have blogged about the release of a new version of the SiteLock Template for ActiveX Controls . I can't stress strongly enough how important it is that developers place security first when developing controls. Over the years there have...(read more)

MS07-045: Cumulative security update for IE

sandi — Thu, 16 Aug 2007 23:58:00 GMT

This critical security update resolves three privately reported vulnerabilities. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have...(read more)

MS07-050: Vulnerability in Vector Markup Language could allow remote code execution

sandi — Thu, 16 Aug 2007 23:56:00 GMT

This security update resolves a privately reported vulnerability in the Vector Markup Language (VML) implementation in Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer....(read more)

FIX: IE7 green addressbar doesn't work

sandi — Thu, 16 Aug 2007 04:48:00 GMT

Just a quick note - I've received several emails recently complaining that the addressbar in IE7 is not turning green as it should when a web site that uses EV certificates is displayed. This problem is invariably caused by turning off the phishing...(read more)

IE7 Cumulative Update August 2007 – further information

sandi — Wed, 15 Aug 2007 02:45:00 GMT

MS07-045 - Cumulative Security Update for Internet Explorer (937143) CSS Memory Corruption Vulnerability - CVE-2007-0943 - Internet Explorer 5.01 on Windows 2000 A remote code execution vulnerability exists in the way Internet Explorer parses certain...(read more)

The IE Cumulative Update for August 2007 has been released

sandi — Tue, 14 Aug 2007 23:42:00 GMT

The IE Cumulative Security Update for August 2007 is now available via Windows, Microsoft and Automatic Update. Information about the cumulative update can be found here: http://www.microsoft.com/technet/security/Bulletin/ms07-027.mspx The update fixes...(read more)

IE7 Security Indepth video now available online together with the IE Desktop Security Guide

sandi — Thu, 09 Aug 2007 23:40:00 GMT

Markellos Diorinos, an IE Product Manager, has made available online his Tech Ed presentation "Windows Internet Explorer 7 Security Indepth". Several other Tech Ed presentations are also available for your viewing pleasure.

The Internet Explorer Desktop Security Guide has also been released, which includes valuable information about the security features new to IE7, as well as advice on the recommended settings.