Microsoft to fix 26 vulnerabilities on patch day
There will be no further updates for Windows 2000 after 13th July 2010 and Windows XP Service Pack 2 will also cease to be supported after this date. SP2 users are advised to update to SP3. Windows Vista RTM will be supported until 13th April 2010 only, Vista SP1 until 12th July 2011.
All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are reportedly affected. Windows XP Home users, however, appear to be unaffected by the problem, as XP Home does not include a hidden C$ administrative share for websites to access.
The crux of the problem is that security zone settings in Internet Explorer do not always bite if a path is entered in the browser in UNC (Uniform Naming Convention) format (e.g. file://127.0.0.1/C$/.../index.dat). This means that under specific conditions JavaScript from the Internet Zone can access (and render) local files, despite the zone model being intended to prevent this.
http://www.h-online.com/security/news/item/Internet-Explorer-still-a-problem-child-916160.html
Microsoft has merely patched things up without addressing the actual core problem. There are other routes for getting around the zone model however. According to Medina, these routes are very hard to block, since they relate to fundamental functions of the browser designed to enable it to work seamlessly with other applications.
Chrome apes IE8, adds clickjacking, XSS defenses
Petition urges British government to dump IE6
