News

Two Critical Vulnerabilities in IE

• By Scott Bekker
• June 05, 2003

Two critical vulnerabilities in Internet Explorer 5.01, 5.5 and 6.0 could allow code execution. Microsoft released a cumulative patch on Wednesday for Internet Explorer that fixes the flaws.

Like many flaws in IE, the newly patched bugs would require an attacker to send a specially malformed HTML e-mail or lure a user to a malformed Web page. Code execution under the flaws only runs under the privilege of the user.

The first flaw is a buffer overrun vulnerability that results because IE does not properly determine an object type returned by a server, Microsoft says. The second flaw exists because IE fails to put an appropriate block on a file download dialog box.

The patch requires a reboot, and it can be uninstalled. It can be found here:
www.microsoft.com/technet/security/bulletin/MS03-020.asp.

While the flaw can affect IE 6.0 in Windows Server 2003, a new default security setting called Enhanced Security Configuration effectively blocks the flaw unless an administrator has chosen to disable it.

Among other things, Enhanced Security Configuration sets the security level for the Internet zone to high, disables automatic detection of intranet sites, disables install on demand and non-Microsoft browser extensions and disables multimedia content.

Users who have set up Windows Server 2003 in Terminal Services mode are the major user group most likely to have disabled Enhanced Security Configuration. In a Terminal Services environment, Enhanced Security Configuration must be disabled to allow users to use IE in unrestricted mode.