Cumulative IE Patch Addresses Critical Vulnerabilities
- By Scott Bekker
- May 16, 2002
Microsoft issued a critical cumulative Internet Explorer patch on Wednesday that corrects six newly discovered vulnerabilities and changes the behavior of the Web browser.
The security bulletin, MS02-023, is the third cumulative patch for IE this year and the fifth since November 2001. In all, the five cumulative patches have included fixes for 20 newly discovered vulnerabilities, with critical problems in each cumulative patch. Every cumulative patch by definition is supposed to include all previously discovered IE vulnerabilities.
Three of the vulnerabilities in the latest cumulative patch rate a critical designation on Microsoft's threat scale. A cross-site scripting in local HTML resource problem affects IE 6.0; a local information disclosure through an HTML object affects IE 5.01, 5.5 and 6.0; and a script within cookies reading cookies affects IE 5.5 and 6.0.
Less serious vulnerabilities include a zone spoofing vulnerability through a malformed Web page and two new variants on what Microsoft calls the "Content Disposition" vulnerability.
Finally, the IE patch changes the way IE treats frames in the Restricted Sites zone. With the patch applied, IE disables frames in the Restricted Zone to protect Outlook Express and outlook users against HTML e-mails that automatically open new windows or launch downloads of executable files.
The patch is available at http://www.microsoft.com/technet/security/bulletin/ms02-023.asp.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.