posted on Thursday, March 23, 2006 9:08 PM
by
bradley
Choices for our risks
There's a new security advisory tonight.. http://www.microsoft.com/technet/security/advisory/917077.mspx and the advisory states "Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
So let's recap our options shall we? Here's our Tinfoil recap:
- Ensure you are running Outlook 2003 as the preview pane in that version does no scripting - (check got that)
- Run in the rights of the users - not local administrator- so we should be running as LUA or screaming our heads off to our bosses and firms to do LUA (as Vista will be pushing us that way anyway) - check
- *Note* Customers who use the Microsoft Internet Explorer 7 Beta 2 Preview <http://www.microsoft.com/windows/ie/ie7/default.mspx> that was released on March 20, 2006 are not affected by the public reported vulnerability. -- AH HA deja vue.... one of the ONLY times I rolled out a beta (besides MSAS) was in the XP sp2 era and an download.ject pushed me into deploying XP sp2 beta on my risky workstations. So if we want to take a beta risk...we will be rewarded with protection....
- So far (at this time) I've seen POC postings but no web sites in action...and like the WMF issue last time I would have fired someones assets if they had surfed to that site (and a reason that I don't like banner ads on www.msmvps.com)
- Run in high security in Internet Explorer... and put sites we know in trusted zone (question... in XP I use this old IE 5.x power toys that adds a little button to make it really easy to add sites into the trusted zone)
- "Dropmyrights" in IE (the Michael Howard IE tool) should also do it's job (I'm presuming yes).
.. okay so Chicken Little and the tinfoil gang have options, right?