[Infowarrior] - Beware of MS06-013, not just a security fix

Richard Forno rforno at infowarrior.org
Thu Apr 13 11:38:20 EDT 2006 

(more interesting reading on this at http://osvdb.org/blog/?p=111)

IE Changes Due: What You Can Expect

Microsoft will release a security update for Internet Explorer that will
also change how users interact with Web sites.

By Gregg Keizer,  TechWeb.com
April 11, 2006 
URL: 
http://www.informationweek.com/story/showArticle.jhtml?articleID=185300378


Microsoft Corp. will release Tuesday a security update for Internet Explorer
that will also change how users interact with Web sites.

Some sites that rely on popular ActiveX controls, such as Apple's QuickTime,
RealNetworks' RealPlayer, and Adobe's Flash and Acrobat, are likely to give
users fits.

The change, which Microsoft has been warning Web site developers about since
December 2005, was made to abide by a ruling in a patent infringement
lawsuit Microsoft lost in 2003 to the University of California and its
startup, Eolas Technologies Inc.

With the changes rolled out in a mandatory security fix, any IE user who
downloads and installs Tuesday's security patches -- either manually or via
an automated system such as Microsoft Update -- will likely need to modify
how they use those sites which haven't been rewritten.

What should users expect?

--- By default, IE will now consider embedded ActiveX content as inactive.
Thus on unmodified sites, ActiveX content will not run. In other words,
music won't play or a Flash component won't launch.

--- To activate an interactive ActiveX control, move the mouse over the
content -- which now will be boxed -- and click on the pop-up tool tip
dialog.

--- Alternately, users can press the Tab key until the focus is set on the
content's box, then press either the spacebar or Enter key to activate.

--- Each control on each page must be manually activated in this way.

Adobe has posted a short Flash-based demo that shows the activation process.
(Ironic note: If you're using IE after the Tuesday update has been applied,
you must active the Flash demo manually.)

Microsoft has acknowledged that not all Web site developers will have
modified their pages to account for IE's new behavior -- the easiest way for
developers to sidestep user activation is to call the ActiveX controls via
JavaScript -- and so will also release a patch on Tuesday to delay the
changes.

"We will create a ³compatibility patch² (deployed like a hotfix) that allows
customers to turn off the change for a limited period of time through the
June update cycle (2nd Tuesday in June)," wrote Mike Nash, Microsoft's head
of security, in a blog posting last month.

The patch will put off the activation requirements until June 13.

"[This is] to provide time for enterprise customers to resolve compatibility
issues," added Nash.

More information about the Infowarrior mailing list