Theregister was running the script locally - in the myComputer zone. If you host the malicious html on a webpage, etc. then the patch does indeed prevent the execution of code. At 12:51 AM 4/3/2002 +0200, Thor Larholm wrote: >Further, the patch doesn't seem to work completely: > >http://www.theregister.co.uk/content/4/24667.html > >Though, in other cases, it works better than expected: > >http://jscript.dk/unpatched/N280302-01.html > >A revision of the patch may be in place. > >Regards >Thor Larholm >Jubii A/S - Internet Programmer > >-----Original Message----- >From: Phil Dibowitz [mailto:webmaster@ipom.com] >Sent: 2. april 2002 20:44 >To: bugtraq@securityfocus.com >Subject: MS 3/28/02 Security Patch for IE6 - warning! > > >BugTraq'ers, > >I usually consider this list a bit over my head, and don't post, just read. >I'm >not totally sure this is on-topic, but I think it is. =) > >The MS Security Patch for IE6: > >---------------- >Security Update, March 28, 2002 (Internet Explorer 6) >2456 KB/ Download Time: < 1 min The "28 March 2002 Cumulative Patch for >Internet >Explorer" update eliminates all previously addressed security >vulnerabilities >affecting Internet Explorer 6, as well as two new vulnerabilities, and is >discussed in Microsoft Security Bulletin MS02-015. Download now to protect >your >computer from these vulnerabilities, the most serious of which could allow a > >malicious user to run code on your computer. >---------------- >(That's directly from the MS Windows Update Site) > >Seems to be pretty buggy. It trashed a Win2K machine of mine yesterday. >After >installing, I rebooted and shortly after lost my network connection... then >I >was unable to get into 'Network and Dialup Connections' or 'Add/Remove >programs.' I tried recovery from 'Safe Mode' and 'Last known good >configuration' >options at boot, but I had the same problems in both modes. Doing a >'recovery' >from CD didn't fix it either. As a last resort I chose to do an 'upgrade' >from >CD which downgraded IE6 to IE5 fixing the problem. I was then able to patch >up >to the latest IE MINUS that patch. > >A friend mine also had a very similar experience with the patch. I'm curious >to >know if others have the same problem, and I also wanted to warn people. > >Phil >-- >Insanity Palace of Metallica >http://www.ipom.com >webmaster@ipom.com >--
