Microsoft Releases Cumulative Patch for IE
- By Stephen Swoyer
- November 14, 2001
Microsoft Corp. on Tuesday released a cumulative patch for Internet Explorer (IE) versions 5.x and 6.0. The patch fixes all known IE issues -– and addresses three new vulnerabilities, as well.
The patch fixes a serious vulnerability that is exposed by the way in which IE handles cookies – and which could disclose a user’s private information to unauthorized third-parties. Microsoft acknowledged the presence of a bug in a security bulletin that it distributed last week to members of its security mailing list. In lieu of a patch, Microsoft at the time offered a temporary work-around that involved disabling IE’s Active Scripting facility.
The software giant said that the cumulative patch addresses all known IE issues – including a spate of bugs that Microsoft patched only last month -– as well as three newly-discovered vulnerabilities, all of which appear to be variations on existing problems.
For example, Microsoft confirmed that two of the new issues are made possible by flaws in the way IE handles cookies, although it stressed that the “underlying flaws” which expose the vulnerabilities in the first place are “completely unrelated.” The software giant acknowledged that an attacker who successfully exploits either vulnerability could, again, gain access to private information stored in a user’s cookies.
The third and final new vulnerability is related to the way in which IE handles URLs that include so-called “dotless” IP addresses. Dotless IP addresses –- which are commonly used by spammers -- are 32 bit numbers that resolve into equivalent dotted IP formats. Microsoft originally patched problems with IE’s dotless IP address handling capabilities in October 2001 and in October 1998.
Because of the way in which IE handles dotless IP addresses, Microsoft said that it’s possible that a malicious attacker could contrive (by virtue of a URL sent via e-mail or embedded within a Web page, for example) to entice a user to click on a malformed dotless IP address, which would then trick IE into opening the site in its less secure “Intranet” zone context.
The new IE patch rates a “moderate” across the board (for Internet-facing, intranet-based and client-only systems) according to Microsoft’s new security bulletin rating system. Nevertheless, the software giant encouraged customers to apply the patch to all supported systems. The patch is available here.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.