Critical IE Patches Released
- By Scott Bekker
- February 12, 2002
Microsoft released a cumulative patch fixing three critical vulnerabilities for Internet Explorer on Monday night.
The patch includes fixes for six new vulnerabilities, although three represent only a moderate risk, and rolls together fixes for all previous IE vulnerabilities.
The new vulnerabilities affect IE 5.01, IE 5.5 and IE 6.0. Microsoft does not support versions of IE earlier than IE 5.01 with Service Pack 2.
"Customers using an affected version of IE should install the patch immediately," Microsoft recommends.
The most serious new vulnerability could allow an attacker to run code on a user's system. It involves a buffer overrun vulnerability in an HTML directive that is supposed to be used to incorporate a document within a Web page. The problem affects IE versions 5.5 and 6.0 but not IE 5.01.
The two other critical vulnerabilities affect all three versions of the browser. In one, a scripting function called GetObject can be abused by a Web page to read files on a visiting user's machine.
The other is a variant of the "Frame Domain Verification" vulnerability of Microsoft Security Bulletin MS01-058. This vulnerability also involves a malicious Web site operator reading files from a user's local computer and enables URL spoofing.
Patches for other newly discovered vulnerabilities include a file download dialogue spoofing problem, an application invocation via content-type fields and a script execution.
The Security bulletin can be read here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-005.asp.
The patch can be downloaded here: http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp.
Installation requires a restart, and the patch cannot be uninstalled.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.