Hi Gordon,
Changing the extension of the verclsid.exe file prevents it from
running. Since the program in that file provides protection against
the security hole, the effect is the same as not installing (or
installing and then uninstalling) the update.
The result of that is that you're exposed to the *possibility* of
having a hacker take control of your PC. That's described in the
Vulnerability Details section of
http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx:
"A remote code execution vulnerability exists in Windows Explorer
because of the way that it handles COM objects. An attacker would need
to convince a user to visit a Web site that could force a connection
to a remote file server. This remote file server could then cause
Windows Explorer to fail in a way that could allow code execution. An
attacker who successfully exploited this vulnerability could take
complete control of an affected system."
Deciphering the gobbledygook, it means that if you don't have the
update, and if you visit a "bad" web page, the hacker gets a chance to
run any program he likes on your PC: one that searches your drive for
your social security number, bank account numbers, passwords, etc. and
sends them to the hacker; or a keylogger that watches for you to fill
in password fields on other web pages; or a "zombie" program that lets
the hacker route spam through your Internet connection; or... you get
the idea. ;-)
The workaround that Microsoft's Steven Hui suggests, until a
replacement is ready for the update, involves a change in the
registry. This is Method 1 in his post at
http://groups.google.com/group/micr...inetexplorer.ie6.browser/msg/094143b42d0c3ca2.
(Later in the thread he says that Method 2 works only for one user at
a time.)
--
Regards,
Jay Freedman
Microsoft Word MVP
Email cannot be acknowledged; please post all follow-ups to the
newsgroup so all may benefit.
