OSNews:

Only affects versions < 2.6.8 w/ iptables

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:15:00 GMT

Before everyone worries:

"The problem lies in the way the kernel handles iptables firewall logging, and only affects systems with iptables-based firewalls, such as SUSEfirewall2, Suse said."

"The bug affects Suse Linux 9.1 and Suse Linux Enterprise Server (SLES) 9; Suse Linux 9.2 isn't affected because the version of the kernel it uses, 2.6.8, already contains a fix."

God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:19:00 GMT

I just switched to OpenBSD.

vector

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:22:00 GMT

only affects systems with iptables-based firewalls, such as SUSEfirewall2, Suse said."

Which is pretty much every Linux distribution.
Is it possible to download the source of SuSE 2.6.8 kernel?
:-)

Re: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:25:00 GMT

I just switched to Windows 95 :-)

The Suse warns is 7 days old

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:28:00 GMT

This is not a new, because is 7 days old.

look:

http://www.suse.com/de/security/2004_37_kernel.html

Package: kernel
Announcement-ID: SUSE-SA:2004:037
Date: Wednesday, Oct 20th 2004 18:00 MEST
Affected products: 9.1
SUSE Linux Enterprise Server 9
Vulnerability Type: remote denial of service
Severity (1-10): 9
SUSE default package: yes
Cross References: CAN-2004-0816
CAN-2004-0887

Content of this advisory:
1) security vulnerability resolved:
- remote system crash with enabled firewall
- local root exploit on the S/390 platform
- minor /proc information leaks
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- libtiff
- cyrus-sasl
- php4
- zinf

What difference does it make....

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:30:00 GMT

if you've been running 2.6.8 for months now?

Damn SuSE

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:34:00 GMT

If they want to stick with old builds, thats what they're gonna get.

Re: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:35:00 GMT

I sold my computer but still worried....now where's my medication...

RE: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:39:00 GMT

I just switched back to my Vic 20

RE: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:41:00 GMT

Sweet Jesus! I hope my Windows Neptune computer will be ok!

good service

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:41:00 GMT

What difference does it make....if you have been
running 2.6.8 => for weeks

Nothing, but there are a lot (SuSE 9.1) users with kernel < 2.6.8 .

RE: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:49:00 GMT

Back to my AN/UYK-7.

solution

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 16:57:00 GMT

Then if those users have internet connection, they should make use of "YOU".

I don't like the SuSE Linux Distro that much, but YOU improved over time, and i would call it a bit better than WindowUpdate.

But far from what's possible || others already realised.

Why such a fuzz about that Problem?

Re: TomHu

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:02:00 GMT

Just curious, what do you not like about SuSE 9.1?
I have a few issues with it as well. I have found that a few things with networking and pcmcia cards do not work as they should, and I'm surprised that the problems passed through QA.

9.2 Pro

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:24:00 GMT

9.2 Pro seems to fix some things and break some others...I've noticed (on separate machines) that after a while, the volume levels for sound are set to mute by default and it takes some fiddling to get sound back at boot.

RE: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:25:00 GMT

I just threw all of my computers in the trash compactor and stabbed my toaster to death...I think everything is going to be fine.

Very Old

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:31:00 GMT

This problem has been known for months. It relies on a carefully crafted packet, or set of packets, being sent to totally crash a Linux system using IPTables.

Some real work would be required to make it into a way of getting into your system, but it could be used to take a fair few systems offline.

old news

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:42:00 GMT

grr bad osnews for reposting old news, I got worried for a sec there

Wake up and Smell the PR

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:46:00 GMT

I've been using Suse distros at home for a couple of years now and am fairly happy with their products but I can't help but detect a note of cynical opportunism about this - funny how they suggest an upgrade to the release that's just about to go on sale is the best fix for the problem...

Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 17:56:00 GMT

Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:04:00 GMT

I am happy today and wish more vulnerabilities are found in Linux so that i can tell these worthless linux zealots to stop cursing windows for no reason.

I hate to tell you this, but we don't curse Windows for no reason.

Windows sucks.

Good thing I fixed this exploit months and months ago on my machines...

Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:06:00 GMT

Even though Linux is good but these Linux fanboys are making people like me who love both windows and linux so alienated from Linux that i love to see them getting kicked.

Ditto. Especially a system like Linux that has a fast growth rate unlike OpenBSD. It's clear that security breaches will appear. Thank God the code is open-source so that developpers around the world can point out these flaws and make it more secure. Linux shouldn't be a religion. Sorry. I also use both Windows and FreeBSD, and I'm not ashamed. I'm just working.

RE: Wake up and Smell the PR

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:07:00 GMT

Very astute point, I was thinking the same thing.

An organization could save a lot of money finding (or hiring) in-house talent to simply upgrade their kernel(s), it's quite simple.

RE: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:08:00 GMT

"cursing windows for no reason."

O beleive me theres a lot of reason ot curse Windows. From its crappy file system to its security. Look at the list of critical problems for Windows. Just cleaned up a friends Windows for getting a trogan while play America's Army. I had to call the trogan man and it still did no good. But I curse Linux everyday too so maybe I just need anger managment.

Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:18:00 GMT

Where are all the linux fanboys who just like to abuse windows. hahahaha....not that i hate Linux but i hate linux fanboys attitude who just like to feel superior and say bad about other OS. I am happy that finally the got a kick on their A.

Even though Linux is good but these Linux fanboys are making people like me who love both windows and linux so alienated from Linux that i love to see them getting kicked.

I am happy today and wish more vulnerabilities are found in Linux so that i can tell these worthless linux zealots to stop cursing windows for no reason.

We are here. And we don't say that Linux has no problems. What we say is look at the difference! Notice not ONE person has come on here, and there has not been any reports of Suse (This affects Suse, not all versions of Linux) machines being crashed, hacked or worms spreading like Ebola! Unlike with Windows. And WOW this story comes out here and there is already a fix which has been out for some time. With windows most people find out AFTER they wonder why their machines keep rebooting!

MS should take some lessons!

Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:25:00 GMT

Where are all the linux fanboys who just like to abuse windows. hahahaha....not that i hate Linux but i hate linux fanboys attitude who just like to feel superior and say bad about other OS. I am happy that finally the got a kick on their A.

Try looking at the nature of the faults, how serious they are and under what circumstances they can be exploited. Microsoft should be so lucky to have an exploit like this were no one can take over the system and all it does is take the box down through something that has to be crafted.

April 2004 - 2.6.8 - Fedora Core 2

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:27:00 GMT

So, from the other comments, 2.6.8 and later is not impacted?

RE: Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:29:00 GMT

Try looking at the nature of the faults, how serious they are and under what circumstances they can be exploited.

Did you miss the severity rating of 9/10? I put it right there for people like you who would try and downplay it.

Re: Ha ha ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:47:00 GMT

"Where are all the linux fanboys who just like to abuse windows."

Nowhere. But as you can read, obviously the Windows fanboys are everywhere.

Let's face it: When a Windows security exploit is announced, Microsoft zealot defend it with their live, saying things like "it's the user's fault", and often it takes several weeks before there's a fix.
When a Linux security exploit is announced, developers quickly fix it. The problem is thoroughly analyzed, published and discussed. And while the Microsoft zealot troll at how Linux sucks and is insecure, the rest of the world is busy fixing the problem and couldn't care less about the Microsoft zealots, and getting on with their lives.

RE: Re: Ha Ha Ha By Anonymous

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:47:00 GMT

Did you miss the severity rating of 9/10? I put it right there for people like you who would try and downplay it.

It's not to be downplayed. But at the same time has anyone had their machines taken down by a hack related to it?

On top of that it's a DOS attack not a take over, not a root kit (Which the MAC OS warning that came out the other day was. Isn't the MAC OS based on Free BSD?) not a worm and not a virus!

That means someone has to find that you have that particular version of Suse with that particular Kernel: Read the security report:

1) problem description, brief discussion

An integer underflow problem in the iptables firewall logging rules can allow a remote attacker to crash the machine by using a handcrafted IP packet. This attack is only possible with firewalling enabled.

We would like to thank Richard Hart for reporting the problem.

This problem has already been fixed in the 2.6.8 upstream Linux kernel, this update contains a backport of the fix.

Products running a 2.4 kernel are not affected.

Mitre has assigned the CVE ID CAN-2004-0816 for this problem.

Additionaly Martin Schwidefsky of IBM found an incorrectly handledprivileged instruction which can lead to a local user gaining root user privileges.

This only affects the SUSE Linux Enterprise Server 9 on the S/390 platform and has been assigned CVE ID CAN-2004-0887.

Look how easy it is to fix without even putting in the patch right away:

2) If you are not using an iptables based firewall (like SUSEfirewall2)on your system, you are not affected.

If you are using a firewall, a workaround is to disable firewall logging of IP and TCP options.

We recommend to update the kernel.

Good lord calm down. LOL!

I prefere OpenVMS

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:50:00 GMT

Because now, we have the proof that some Microsoft spys work secretly on the kernel, this is the only rational explanation. Until they are identified, the kernel is no longer safe.

Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:56:00 GMT

So? What's your point? The kernel had a bug, and now it's fixed. All software has bugs, get over it. Only Microsoft zealots keep whining about a problem that has already been fixed. Namely: you.
It just shows that while the rest of the world is doing something productive - fixing bugs, discussing new security mechanisms, etc. - you are acting like a 13-year old kid and wasting your time on mindless zealotry. Go do something useful, nobody cares about you nitpicking.

Re: RE: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 18:59:00 GMT

" "cursing windows for no reason."

O beleive me theres a lot of reason ot curse Windows. From its crappy file system to its security. Look at the list of critical problems for Windows. Just cleaned up a friends Windows for getting a trogan while play America's Army. I had to call the trogan man and it still did no good. But I curse Linux everyday too so maybe I just need anger managment."

Funny, most of the problems I encounter with Windows systems 98% of the time were due to PEBKAC. I just cleaned off two Windows XP machines: one had NO anti virus and no firewall for their broadband connection while the other had spyware up the wazoo because of their kids' exploits (most of the spy junk was under the kids' logins). No matter what OS developers do they cannot patch the human element.

Properly maintained (not as hard as it sounds) and a little knowledge about do's and don'ts online can go a long way to a virus/spyware free Windows PC.

it's not a remote root

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:05:00 GMT

according to the article, there is no remote root. it's a remote DoS (denial of service). BIG difference. the other flaw mentioned in the article appears to be a local root for S/390 SuSE linux.

toast this

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:08:00 GMT

stabbed my toaster to death

everyone knows toasters run NetBSD and are NOT affected. you just wasted a perfectly good toaster.

RE: toast this

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:11:00 GMT

"everyone knows toasters run NetBSD and are NOT affected. you just wasted a perfectly good toaster."

Aaaah, but only linux will run on a dead badger:

http://www.strangehorizons.com/2004/20040405/badger.shtml

RE: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:15:00 GMT

Mac OS X, on the other hand, keeps getting better and better.

It's the Linux KERNEL!

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:16:00 GMT

SUSE isn't the issue here folks...it's any distribution running Linux kernel 2.6. So switching distros isn't going to help you if the kernel is the same. SUSE was only reporting the security issue. Don't shoot the messenger.

RE: Mac OS X, on the other hand, keeps getting better and better.

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:24:00 GMT

Macintouch reports that the first instance of destructive malware for the Mac has been identified. It doesn't appear to spread on its own, however.

It appears as an item called "Opener" in /Library/StartupItems containing a bash script. When a system starts up, this item will run and does the following:

* tries to install ohphoneX, a teleconferencing program

* kills LittleSnitch before every Internet connection it makes
* installs a keystroke recorder
* creates a hidden account
* grabs the open-firmware password
* Installs OSXvnc
* Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users.
* tries to decrypts all the MD5 encrypted user passwords
* decrypts all users keychains.
* grabs your AIM logs, and other settings and preferences with info you probably don't want others to have
* grabs stuff from your Classic preferences
* ghanges your Limewire settings to max out your upload and files.
* installs dsniff to sniff for passwords
* has your daily cron task try to get your password from the virtual memory swapfile
* installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords
* turns on file sharing and places the information it gathers in a hidden directory called .info inside your public folder.

The hidden user account is called LDAP-daemon.

One way to see if you're infected is by entering the following command in the terminal:

sudo ls -l /Users/*/Public/.info

If you're NOT infected, it will show:

ls: /Users/*/Public/.info: No such file or directory

http://64.233.161.104/search?q=cache:DnMyvqEglRkJ:www.macmegasite.c...

hmm, somebody is awake after all

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:25:00 GMT

Good morning.

Re: God

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 19:33:00 GMT

I just switched back to a mule-powered abacus.

Re: RE: Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 20:00:00 GMT

Did you miss the severity rating of 9/10? I put it right there for people like you who would try and downplay it.

It's got a high severity rating because it can take down whole systems, and many people will be using IPTables so that's why a patch is required. However, we should not pretend that this is some free RPC/DCOM back entrance into your systems that allows others total control. It isn't.

As IT professionals, we're supposed to make those judgements and use our intelligence.

cattle

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 20:12:00 GMT

Wasted time, only most of them can do is imitating eachothers
stupidity.

Goodness

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 20:17:00 GMT

Apparently somebody doesn't have anything better to do than to "Report abuse" on this thread!

RE: Goodness

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 21:08:00 GMT

Yeah you see it every day! someone on here needs to get a life and stop taking things so seriously!

@tyrone:

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 21:12:00 GMT

actually, they just have to find anyone running a pre-2.6.8 kernel in the 2.6 series. but as others have pointed out, this is a DoS not an access vulnerability, which makes such a high rating a little odd. What would they rate an easily exploitable remote root vuln? 11, in homage to Spinal Tap? Note that Secunia gave it a moderate rating.

Pay closer attention.

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 22:19:00 GMT

I wish people would take time to not only review articles before posting on OSNews but also actually take time to read security notices from developers. The SuSE Linux Security Response Team released the notice on Oct. 20, 2004 then released a bug fix through YOU (YaST Online Update) later that same day. You do not have to update to 2.6.8 or the latest kernel 2.6.9 since Novell as typical back ports security features in their customers kernel. So I now have the fix for kernel 2.6.5-7.111 that was auto-installed thanks to SuSE Watcher which also gives security notices when updates are available. How fast does Microsoft, Apple or even other Linux developers respond with such an issue..6 hours, 24 hours, weeks or even months? Come on people get a grip and relax.

Re: Re: RE: Re: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 23:00:00 GMT

>However, we should not pretend that this is some free RPC/DCOM back entrance into your systems that allows others total control.

We should not pretend that RPC/DCOM is back entrance. It was a bug, like bug in SSH that allowed back entrance into your systems that allows others total control. Like bug in Sendmail that that allowed back entrance into your systems. Like bug in Apache that allowed back entrance into your systems.

We should also not pretend that we don't know the patch for RPC/DCOM was available days, weeks before the exploit.

>As IT professionals, we're supposed to make those judgements and use our intelligence.

True, and also not spread the FUD about OS we don't like and sugarpill issues with OS we do.

Linux kernel remote DoS is non-issue, if you listen to some.

For extra fun: initial version of SuSe advisory suggested to apply patch OR disable firewall. True fact. I am glad they took that pathetic suggestion off.

Auto-Update is evil

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 23:02:00 GMT

>I now have the fix for kernel 2.6.5-7.111 that was auto-installed thanks to SuSE Watcher which also gives security notices when updates are available.

But, but, but.. auto-update is evil! At least, it were evil until Linux distros innovated it. Finally, it is good.

Sure, it is good- glad we can all come to senses and stop putting users in a harms way by telling them disable automatic updates of their beloved [enter name here] OS.

@russian guy:

donotreply@osnews.com (Anonymous) — Thu, 28 Oct 2004 23:14:00 GMT

erm, whoever said autoupdate was evil? It's fairly evil for enterprise situations where patches can have unintended effects, but then, any half-competent sysadmin can turn it off. Now, pushing non-security-related (i.e., new versions and 'features') and EULA changes over auto-update, that would be a different matter, and that's what some people worried about when Microsoft started using auto-update. Not sure if it's actually happened, though.

Re: Auto-Update is evil

donotreply@osnews.com (Anonymous) — Fri, 29 Oct 2004 09:16:00 GMT

Some people like auto-updates, some people do not.

It doesn't matter the OS you use - if you like it, turn it on.. if you don't turn it off..

rewriting history

donotreply@osnews.com (Anonymous) — Fri, 29 Oct 2004 16:31:00 GMT

We should also not pretend that we don't know the patch for RPC/DCOM was available days, weeks before the exploit.

this is not exactly true. i was reading Bugtraq when LSD released the exploit. they basically told MS, gave them 0 to few days, then released a preliminary post that gave few details. others figured out the rest of the exploit and released PoC code, a few days later the worm was released.

The patch was available before the worm, and probably before the PoC code. but LSD (last stage of delirium) had it first.

Re: RE: Re: Ha ha ha

donotreply@osnews.com (Anonymous) — Fri, 29 Oct 2004 18:06:00 GMT

one had NO anti virus and no firewall for their broadband connection

You cannot call this user error. An OS should be secure by default. It should not rely on the user downloading or buying external programs.

Re: Auto-Update is evil

donotreply@osnews.com (Anonymous) — Fri, 29 Oct 2004 18:39:00 GMT

Evil, no. A PITA, yes. Imagine you have machine set for auto update, you're on dial up, and here comes a 75mb SP2 coming down the wire. Now that's a lot of fun. Forget using the internet for the rest of the day.

Re: RE: Re: Ha ha ha

donotreply@osnews.com (Anonymous) — Fri, 29 Oct 2004 18:44:00 GMT

Funny you should make an issue of this, when only a short time after SP2 was released, we got this:
http://www.osnews.com/story.php?news_id=8537
"Microsoft warns of a score of security flaws"

A score, mind you. We're talking about ONE exploit here.

"Microsoft on Tuesday published 10 software security advisories, warning Windows users and corporate administrators of 22 new flaws that affect the company's products."

22. Count'em.

RE: Re: RE: Ha Ha Ha

donotreply@osnews.com (Anonymous) — Fri, 29 Oct 2004 20:51:00 GMT

Funny, most of the problems I encounter with Windows systems 98% of the time were due to PEBKAC. I just cleaned off two Windows XP machines: one had NO anti virus and no firewall for their broadband connection while the other had spyware up the wazoo because of their kids' exploits (most of the spy junk was under the kids' logins). No matter what OS developers do they cannot patch the human element.

That is why they have to make the system more secure in the first place. Even on my own system, on the Windows side (the system I use like 5 % of the time ) with a firewall, and antivirus and two spyware removal tools I get infected sometimes. They cannot expect the kids, especially if they are youngers, to know everything about computer/Internet security. I am surprised that all these softwares can be installed on my computer without me authorizing any of them.

Properly maintained (not as hard as it sounds) and a little knowledge about do's and don'ts online can go a long way to a virus/spyware free Windows PC.

Your grandmother will probably never be a security expert. Does that mean that she could not use the Internet herself ? Linux is far from perfection cause it is maybe a bit more difficult to install/configure. But once installed, you do not have to worry about spywares, you use Firefox to block most popups(with the Adblock extension, you can easily block ads too) and can laugh in the face of all the Windows viruses.

Re: mikeyd (IP: ---.plus.com)

donotreply@osnews.com (Anonymous) — Sat, 30 Oct 2004 03:41:00 GMT

You cannot call this user error. An OS should be secure by default. It should not rely on the user downloading or buying external programs.

1. XP has a prefectly good builtin firewall.
2. Operating systems cannot stop users deliberately installing and running software (which is, from the OS's perspective, all a virus is).

Which aspect of "security", exactly, do you feel will stop an end user installing a program that has malcious code in it ?

Re: Jean-Marc (IP: ---.agere.com)

donotreply@osnews.com (Anonymous) — Sat, 30 Oct 2004 07:39:00 GMT

That is why they have to make the system more secure in the first place. Even on my own system, on the Windows side (the system I use like 5 % of the time ) with a firewall, and antivirus and two spyware removal tools I get infected sometimes.

You don't "get infected", you (clearly) practice risky behaviour and pay the price. For anything to be installed, you must be running as an Administrator. Presumably you're also using some version of IE that isn't up-to-date with patches, or some mail client that isn't patched (or has known vulnerabilities).

These things don't just appear out of the ether - something you are doing is allowing them to be installed. Tr running as a regular user and using Firefox instead of IE.

Hell, if you *must* run IE to browse dodgy web sites (which would be my first guess as to where the spyware, etc is getting in) then create a new "Limited User" account to specifically run only the IE executable under use it via the "Run As" facility from your regular account. This is trivial to do with Windows 2003, XP or 2000.