« Morrison, Colorado | Main | J3nn1f3r »
March 28, 2006
Microsoft hangs people out to dry with Zero Day exploit
There's another reported security flaw in IE, and a wave of Zero Day Attacks underway. Predictably, Microsoft won't ship a patch any time soon, so I'm installing a temporary fix created by eEye Digital Security.
“This is a critical vulnerability that needs to be addressed immediately and, in the interests of our customers, we made the decision to release a temporary patch..." [snip] Maiffret continued, “eEye’s patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix. In fact, eEye has engineered the patch to automatically remove itself when Microsoft’s official patch comes through.�
However, this web page says something very different:
Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. Please note that at this time this workaround only supports Windows NT, Windows 2000, Windows XP, and Windows 2003 and is fully removable.
So...what's...uh...the deal?
I went here and downloaded version 1.0.1 of the patch (JScriptPatchSetup101.exe.)
I ran the .exe and chose Option 3 (apply temporary patch). Among the notes and warnings it displays the following:
- This patch is a temporary fix and should be removed before the official Microsoft patch is installed.
- This patch includes a checker that will uninstall itself when it detects a Microsoft patch has been installed. To disable the checker, run the installation with this command line (command is case-sensitive): JSCriptPatchSetup.exe NOCHECKER=1
After I ran it, I got a message that the patch had been successfully installed. Then, my Windows AntiSpyware Beta program gave me a nag and I said to allow the change. So, in theory, I'm protected, right? I don't use IE anyway, so it's not like it really matters.
Posted by Peenie Wallie on March 28, 2006 at 9:43 PM
Comments