98Guy Posted December 16, 2008 Share Posted December 16, 2008 http://www.microsoft.com/technet/security/...ory/961051.mspx"Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008."Hmmm. IE7 / Win-XP is affected eh?"At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7."Hmmm. Threats against IE7 are known to currently exist eh?Oh, and just to be clear - IE7 does not run on windows-98 ?-nuf said- Link to comment Share on other sites More sharing options...
submix8c Posted December 16, 2008 Share Posted December 16, 2008 (edited) Yup, almost true.But if you look on the main MSFN page you'll see that the the flaw in IE7 that may also apply to IE6, so be aware! Go here to read about it -http://www.msfn.org/comments.php?shownews=23049 Edited December 16, 2008 by submix8c Link to comment Share on other sites More sharing options...
cluberti Posted December 16, 2008 Share Posted December 16, 2008 And the flaw is technically in oledb32.dll, which DOES exist on a 9x install if you have MDAC installed. So claiming invulnerability because you aren't using IE7 (IE6 and IE 5.x are vulnerable too, as is potentially any browser which would run code against this .dll in this manner) is dangerous at least. Link to comment Share on other sites More sharing options...
an3k Posted December 17, 2008 Share Posted December 17, 2008 (edited) Btw. using Firefox is also not a good solution: http://www.msfn.org/comments.php?shownews=23063I'm happy still having my Windows 98SE Setup disc and Key for a Pentium 75 with 128 MB RAM and 1,2 GB HDD Edited December 17, 2008 by an3k Link to comment Share on other sites More sharing options...
98Guy Posted December 18, 2008 Author Share Posted December 18, 2008 (edited) Microsoft has chosen to "fix" the current IE vulnerability by releasing a new version of mshtml.dll instead of fixing the real vulnerable file which is OLEDB32.DLL. Edited December 18, 2008 by 98Guy Link to comment Share on other sites More sharing options...
cluberti Posted December 18, 2008 Share Posted December 18, 2008 The exploit is use-after-free in the process doing the calling, not ole32db.dll. The fix addresses the vulnerable application, not the dll that simply exports the APIs called. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now