News

Microsoft Posts Critical Patch for IE Ahead of Regular Schedule

Microsoft on Wednesday released a security patch for the critical Internet Explorer flaw that was being exploited through compromised Web banner servers.

Microsoft considered the flaw, which has been public for about a month, important enough to release the patch ahead of its normal patching day, which falls on Dec. 14 this month.

Microsoft released the patch in security bulletin MS04-040, a cumulative patch for Internet Explorer that replaces a previous cumulative IE update included with MS04-038.

The flaw affects Internet Explorer 6.0, but not IE 5.0 or IE 5.5. Microsoft also says that IE 6.0 users are unaffected by the vulnerability if they have Windows XP Service Pack 2 installed or are using the version of the browser that shipped with Windows Server 2003.

The flaw results from an unchecked buffer in IE that processes certain HTML elements such as FRAME and IFRAME. The vulnerability has been referred to by others as the IFRAME vulnerability. Microsoft is officially calling the vulnerability the "HTML Elements Vulnerability."

If the victim is logged on as an administrator, an attacker can use the flaw to take complete control of the user's system over the Internet.

The security bulletin is available at www.microsoft.com/technet/security/bulletin/ms04-040.mspx.

Microsoft's bulletin acknowledges that the vulnerability was publicly disclosed and was being exploited already. Most security bulletins from Microsoft and other vendors are the first public disclosure of a problem and give end users in effect a grace period of a day or two to test and apply the patch before attackers begin exploiting it.

Public reports of the IFRAME or HTML Elements vulnerability began appearing in early November. US-CERT posted a vulnerability note about the problem on Nov. 3. By Nov. 21, the security firm LURHQ documented several sites that were using the vulnerability to compromise end-user systems with adware and trojans. The group warned that banner ads were being used to exploit the flaw to compromise systems. "The sites … are being rotated frequently and are not just small, unknown sites -- one of the hacked sites included a well-known Hollywood film studio's website," a LURHQ statement said.

Underscoring the importance of the patch is that it is only the fourth time Microsoft has issued a patch outside of its monthly patching day since instituting the process more than a year ago. The other out-of-band releases also involved unpatched flaws in Internet Explorer that were being exploited by attackers.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.

  • Report: Security Initiatives Can't Keep Pace with Cloud, AI Boom

    The increasingly fast adoption of hybrid, multicloud, and AI systems is easily outgrowing existing security measures, according to a recent global survey by the Cloud Security Alliance (CSA) and exposure management firm Tenable.