At first Microsoft told me they would Patch Internet Explorer. Then
Internet Explorer 3.02 which was supposed to fix ALL of the security
holes from that month. (According to MS's Web page)
But IE 3.02 did not fix the security hole!
Then Microsoft told me that NT 4.0 Service Pack 3 will definitely fix the
whole.
I just downloaded it. It does NOT fix the security hole!
I lightly urge only those BUGTRAQ readers who feel that this is an important
security issue to send non-threatening email to "secure@microsoft.com" to
kindly request them to fix this hole.
To date, microsoft has not fixed this and similiar security holes! Maybe a
expoit code release to BUGTRAQ is in order to help speed things up.
By the way, I have been conversing with CERT the last 2 months, and they
still believe that Microsoft will fix the problem and CERT does not want
to issue an Advisory until the bug is fixed. However CERT should atleast be
notifing administrators to warn users not to use Internet Explorer until
this bug is fixed.
Thanks for all your help.
http://www.ee.washington.edu/computing/iebug/
-- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee@ee.washington.edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842