The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code.
At this point, we recommend:
- Keep MS06-042 applied if you can. It fixes more bugs than it creates.
- If you are having problems with internal web sites that can no longer be used: Restrict MSIE to be used internally only.
- Use Firefox/Opera or other browsers for now.
- "SandboxIE" can be used to protect your system from damage caused via MSIE.
- If you establish a "No MSIE" policy, you can use the snort rule below to detect accidental policy violations.
Snort Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(content: "|0D 0A|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0";)
Links:
http://isc.sans.org/diary.php?storyid=1611 (updated patch matrix)
http://research.eeye.com/html/alerts/AL20060822.html (EEye Alert regarding the code execution)
http://www.microsoft.com/technet/security/advisory/923762.mspxhttp://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx (latest MSRC blog article regarding this issue, dated Aug. 16th).
Sandboxie