[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | SECURITY_ADVISORY |
| Notice: | Security is Everyone's Responsibility |
| Moderator: | MINOTR::NOBLE |
|
| Created: | Wed Dec 22 1993 |
| Last Modified: | Thu May 29 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 148 |
| Total number of notes: | 459 |
129.0. "CISG Security Advisory 1997-01, MS Int'net Explorer" by MINOTR::NOBLE (Your Data, Your Job...Protect Both) Thu Mar 06 1997 13:55
DIGITAL INTERNAL USE ONLY
********************************************************************
* CORPORATE SECURITY
* CORPORATE INFORMATION SECURITY GROUP
* Mar 06, 1997
* SECURITY ADVISORY #1997-01
*
********************************************************************
[DO NOT DELETE THIS BANNER]
This security advisory is for immediate distribution to all internal
Windows 95 and Windows NT V4.0 users of Microsoft(R) Internet
Explorer and any other appropriate internal support personnel and
organizations. Cost Center managers hosting contract personnel are
responsible for ensuring appropriate forwarding of this bulletin.
SUBJECT: Major Security Problem in Microsoft Internet Explorer
Microsoft Corporation has acknowledged a major security flaw in
Internet Explorer V2.0, V3.0 and 3.01 running on Windows 95 and
Windows NT V4.0.
REQUIRED ACTIONS:
All users running the impacted versions of Microsoft Internet
Explorer on their systems must ensure they have installed this
security patch.
Users running V2.0 and V3.0 are strongly recommended to upgrade to
V3.01, as V3.01 contains security updates not included in earlier
versions. Users running V2.0 must upgrade to at least V3.0, then
install this and all other available security patches for Internet
Explorer V3.0. (See CISG Security Bulletin 96-04, 9 Sep 1996.)
AVAILABILITY:
Microsoft has currently made available English and a few other
International language version patches for the following platforms:
Windows 95 Intel - Internet Explorer V3.0 and V3.01
Windows NT V4.0 Intel - Internet Explorer V3.01
The following platforms will have a patch available shortly:
Windows NT Alpha - Internet Explorer V3.01
Additional International language versions will be available during
the next few weeks. Check the Microsoft WEB Home Page at the
following URL for ongoing availability:
http://www.microsoft.com/ie/security/intl_fix.htm
Again, Microsoft will NOT provide a fix for Internet Explorer V2.0.
SECURITY KIT LOCATIONS:
The English version of this security software patch to Microsoft
Internet Explorer V3.01 for Windows 95/NT Intel is available to
internal personnel from the IBG Engineering Software Distribution
Server at:
http://ibgzko.zko.dec.com/sdk-cgi-bin/software_distribution_form
NOTE: The IBG Engineering Software Distribution Server
is now providing the most recent install kits for V3.01 for
Windows 95/NT Intel, and Windows NT Alpha.
As soon as the V3.01 patch for Windows NT Alpha is available, it
will be added to the IBG Engineering Software Distribution Server.
For International language versions (non-English) please check the
Microsoft WEB Home Page at URL:
http://www.microsoft.com/ie/security/intl_fix.htm
(Note that Microsoft may change this URL without notice.)
INSTALLATION INSTRUCTIONS:
From the IBG Engineering Software Distribution Server (identified
above), read all of the instructions for obtaining released software
kits. Then select:
Microsoft Internet Explorer 3.01a Patch
for Windows 95/NT 4.0 Intel Build 1215 or later
(or Microsoft Internet Explorer 3.01a Patch
for Windows 95/NT 4.0 Alpha -- when it becomes available)
NOTE: To reiterate, it is strongly recommended that V2.0 and V3.0
users upgrade their Internet Explorer to V3.01. To upgrade prior to
installing the security patch, then from the IBG Engineering
Software Distribution Server (URL identified above), read all of the
instructions for obtaining released software kits. Then select:
Microsoft Internet Explorer 3.01 for Windows 95/NT Intel
or
Microsoft Internet Explorer 3.01 for Windows NT Alpha
ADDITIONAL INFORMATION:
As of Wednesday 5 March, 1997, Microsoft has provided the following
statement:
"No harm has been caused by this security breach to date. Users
could be affected by this problem if they are running Internet
Explorer 2.0, 3.0 or 3.01 for Windows 95 and Windows NT 4.0. We have
made the fix above available for all those customers. The security
breach cannot affect users of Internet Explorer 3.0/3.0a for Windows
3.1/NT 3.51 or Internet Explorer for Macintosh 2.1/3.0/3.0a.
"Any users running Internet Explorer 3.0 and 3.01 for Windows 95 and
NT 4.0 could potentially be at risk, so Microsoft strongly
recommends that those users download the fix. It is worth noting,
however, that there is only one Web site that illustrates the issue
that we know about, and it is only for demonstration purposes.
Furthermore, we have not had any customer reports of this problem to
date, and a webmaster would have to create malicious code in order
to enable the threat. "
Microsoft is either a registered trademark or trademark of
Microsoft Corp. in the United States and/or other countries.
CONTACT INFORMATION:
Up-to-date reference information on local Information
Security contacts can be found at the following locations:
INTERNAL WWW SERVERS
Corporate Security
http://corpsec.mso.dec.com/
Information Services Security
http://www-is-security.mso.dec.com/
VIDEOTEXT SERVERS
$ VTX SECURITY
NOTE:
The only authorized source of computer/network security related
advisories and bulletins for Digital is the Corporate Information
Security Group. Please advise your system managers and users of
Digital's computers and networks that any security warnings, alerts,
advisories, and bulletins, especially those requiring responsive
action on their part, are the explicit responsibility of the
Corporate Information Security Group.
If an internal or external advisory or bulletin is received from
other sources and no information on the topic has been received from
CISG, please contact our group at DTN 223-8900. This allows a single
focus for all security advisory and bulletin information for our
Company.
All security advisories and bulletins can be found via the
Security Advisory Notefile MINOTR::SECURITY_ADVISORY
http://www-notes.lkg.dec.com/minotr/security_advisory/
or in VTX SECURITY.
DIGITAL INTERNAL USE ONLY
| T.R | Title | User | Personal
Name | Date | Lines
|
|---|