Back in November, I sent an alert to the list about a newly-discovered security hole in Internet Explorer that could allow outsiders to get access to the contents of your computer's cookies, where sensitive personal information (such as passwords) might be stored. I thought this was important enough to repost. (The original message, with more information is below.) If you are using either Internet Explorer or Outlook Express, you should definitely fix this security hole on your computer.
If you are using Internet Explorer 5.5 or 6, you can fix the problem by downloading the "critical updates" from the Windows Update site. However, if your version of IE and/or Outlook Express is earlier than 5.5 (which is probably true for 90% of list members), the only solution is to install the full version of IE (including Outlook Express, which is an IE component) version 5.5 or 6.0 - I suggest version 6. You can also get these updates from the Windows Update site - however, they will *NOT* appear under the "Critical Updates" section, but are listed farther down the page. During the installation, you will be asked whether you want to do a "typical" or "custom" install. Doing the typical install is safest -- if you want to do a custom install, be sure to include Outlook Express, or you will not fix the security hole. It is appropriate, I think, to be more than a little annoyed at Microsoft for the ways in which they have made keeping up with computer security a nearly full-time job. In this case, not only have they made it very difficult for the average user to even know about the problem, but they also seem to have gone out of their way to make things hard for folks who are paying attention. For instance, if you are trying to update IE on multiple computers on a network, it is not possible to download a single installation file for all the machines -- you have to go through the whole 10-15 Mb download for each computer. One last point - according to Woody's Windows Watch (<www.woodyswatch.com/windows>), Microsoft's Windows Update site was broken for the last few days, although the company did not admit it. I know I was having big problems with it, while setting up a computer for a HelpNet member. Things are supposed to be working again now. OK, rant over. If you have any questions about all this, please post them to the list. Jon >Date: Mon, 19 Nov 2001 16:20:56 +0000 >To: folkschool list >From: Jon Falk <[EMAIL PROTECTED]> >Subject: Internet Explorer cookie security hole > >Last week, Microsoft announced the discovery of yet another security hole >in Internet Explorer: > >"A vulnerability exists because it is possible to craft a URL that >can allow sites to gain unauthorized access to user's cookies and >potentially modify the values contained in them. Because some >web sites store sensitive information in a user's cookies, it is >also possible that personal information could be exposed." > >This seems like a pretty serious problem to me. If you are using IE 5.5 >or 6, the good news is that Microsoft has posted a patch, at: > ><http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp> > >However, if you are using IE 5 or 5.01 (the most likely version if you >have Windows 98), the news is not so good. According to Patrick Douglas >Crispen, writing in the Nov. 17 Tourbus newsletter (www.tourbus.com), >Microsoft is no longer supporting pre- 5.5 versions of IE. So even though >version 5, (and version 4) may also have this cookie vulnerability, >Microsoft will not *ever* be issuing patches for earlier versions of >Internet Explorer. (If you don't know what version you are using, open >Internet Explorer, and click on Help > About Internet Explorer.) > >If you're using a pre-5.5 version of IE, your choices are to ignore the >problem, upgrade to IE 5.5 or 6, or switch to a different browser >(Netscape, Opera, etc.). You can download and install an updated version >of Internet Explorer (I suggest version 6) from Microsoft's Windows Update >site. (Click on "Windows Update" on your Start menu, or go to ><www.windowsupdate.com>). These are BIG downloads - 30-60 minutes on a >56K connection. > >For more information, read Patrick's newsletter in the Tourbus archives >(<http://www.tourbus.com/archives.htm>). Any questions? Send them to >this list. > >Jon > >Jonathan Falk >Pine Tree Folk School >RR 2, Box 7162 >Carmel, ME 04419 >(207)848-2433 ><http://www.ptfolkschool.org> > > Jonathan Falk Pine Tree Folk School RR 2, Box 7162 Carmel, ME 04419 (207)848-2433 <http://www.ptfolkschool.org> **Folkschool-list archives are at: <http://www.mint.net/folkschool/helpnet/archives.htm> Sponsored by Pine Tree Folk School ==^================================================================ This email was sent to: [email protected] EASY UNSUBSCRIBE click here: http://topica.com/u/?a84vzQ.a9gqS3 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
