New Microsoft Advisory

January 28, 2011

Microsoft has issued a Security Advisory (2501696) for Windows about a newly discovered security flaw  [CVE-2011-0096]  that affects Internet Explorer, as well as, potentially, any other applications that use Windows’s MHTML protocol handler.  (MHTML is an Internet protocol that defines a MIME structure for wrapping HTML content.)   The potential attack is somewhat similar to server-side cross-site scripting.   All currently supported versions of Windows are affected, except Windows 2008 Server Core installations.

The Advisory provides a work-around to mitigate the vulnerability.  The Windows Registry can be modified to prevent the execution of scripts within an MHTML document.  Modifying the Registry incorrectly can have serious bad effects, including making your system fail to boot.  It is not a job for the ten-thumbed.  Microsoft’s consumer-oriented article on this advisory has a “FixIt” tool that will apply the  Registry work-around for you; there is also a tool to uninstall it.  Like other work-arounds, this has the potential to cause problems, so careful testing is advisable.  So far, there is no announced schedule for a patch.

This vulnerability seems to be potentially exploitable in a number of different ways.  If you must use Internet Explorer, I suggest that you try the FixIt tool, carefully.


OpenOffice 3.3 Released

January 28, 2011

The OpenOffice project has released a new version, 3.3, of its office productivity suite.  The new version incorporates a number of new and enhanced capabilities, which are summarized on this page.  It also fixes 14 security vulnerabilities, some serious, which are summarized in the Security Bulletins.  More information on the changes is also available in the Release Notes.

You can obtain in the installation packages, for Mac OS X, Windows, Linux, and Solaris, from the download page, in a variety of (human) languages.  Windows and Linux users should note that the installation packages generally include the Java run-time  environment; but it is possible to download a version without Java.  Java is used to implement a number of features of OpenOffice, but it is possible to install OpenOffice without it.  (The OpenOffice site has a list of features that require Java; I wrote about the pros and cons of installing Java in this post.)

Because of the security updates in the new version, I recommend that you upgrade your installation.

%d bloggers like this: