“Microsoft confirmed Thursday that the createTextRange security flaw in Internet Explorer will be among those addressed in its monthly patch rollout April 11. In all, the company said on its TechNet site, customers can expect five updates for Microsoft Windows and Microsoft Office — at least one of them critical.”
The createTextRange vulnerability has been publicly known since March 22, 2006 (See the original advisory here). Exploits have been publicly available since March 23, 2006, such as this one posted to milw0rm shortly after the vulnerability was publicly announced. On March 27, 2006 SANS ISC reported that there were over 200 sites using this vulnerability and associated exploits to install malware and create botnets (See posting here). Seems to me that monthly patching should be more frequent because this doesn’t even take into account the people who had an exploit before all this went public.
There is still yet to be a patch released by Microsoft and the only workaround for IE users is to disable active scripting, which by the way breaks some web sites functionality (which is ironic because Active scripting (ActiveX) is why most people are forced to use IE). Here’s a tip, use Firefox. Of course then come the arguments such as how to control Firefox with group policy, or what to do with applications that only work with IE. Check out the WetDog project for group policy control over Firefox. If you have applications that require IE consider creating a shortcut that uses IE to access that application and let users do what they do best, click. Most organizations do not do this because they do not believe that IE vulnerabilities are a problem:
But now, she said, borrowing a phrase from the Star Trek universe, “the shields are holding.”
How is this measured? It is not like the days when worms were running loose destroying your networks. Times are different, malware (including spyware) and botnets are sneaky. They don’t want to be caught, its bad for business. They want to go undetected to fill your screen with pop-ups, turn your PC into a SPAM zombie, or quietly wait for the next command. Let me ask this question to our readers and listeners:
If a Windows box gets rooted with IE exploit on the Internet, will anybody notice?