Critical Vulnerabilities in Internet Explorer

From: 	  crawdad@fnal.gov
Subject: 	Critical patch for Internet Explorer
Date: 	July 30, 2004 17:46:42 CDT
To: 	  pc-manager@fnal.gov, winpol@fnal.gov
Cc: 	  cppm_reg_sysadmins@fnal.gov, computer_security@fnal.gov

MS04-025   KB867801
http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx

Microsoft has just released security bulletin MS04-025 concerning a new
patch, KB867801, for Internet Explorer versions 5.01, 5.5 and 6.  This
patch is now designated "Critical" at Fermilab and is required to be
installed on all Windows machines, with very narrow exceptions, by
August 13.

Various factors went into the decision to declare this critical.  Those
factors include the widespread existence of exploits against this
vulnerability, a number of recent incidents here that seem to be due to
Internet Explorer vulnerabilities, and the fact that Microsoft worked
very hard to get this patch out before the traditional August vacation
time.

Windows machines on which this patch is not critical:

  Those with no users (including admins!) who might use Internet
Explorer to access some site other than microsoft.com, and no users
reading email on them.


The US CERT has advised use of a different browser than Internet
Explorer.  (http://www.kb.cert.org/vuls/id/713878)  Be aware, however,
that IE may be activated to interpret certain types of content even if
it is not the browser you choose.  However, you do reduce your exposure
to several vulnerabilities by using something else for most web
browsing.