News

Two Critical Vulnerabilities in IE

Two critical vulnerabilities in Internet Explorer 5.01, 5.5 and 6.0 could allow code execution. Microsoft released a cumulative patch on Wednesday for Internet Explorer that fixes the flaws.

Like many flaws in IE, the newly patched bugs would require an attacker to send a specially malformed HTML e-mail or lure a user to a malformed Web page. Code execution under the flaws only runs under the privilege of the user.

The first flaw is a buffer overrun vulnerability that results because IE does not properly determine an object type returned by a server, Microsoft says. The second flaw exists because IE fails to put an appropriate block on a file download dialog box.

The patch requires a reboot, and it can be uninstalled. It can be found here:
www.microsoft.com/technet/security/bulletin/MS03-020.asp.

While the flaw can affect IE 6.0 in Windows Server 2003, a new default security setting called Enhanced Security Configuration effectively blocks the flaw unless an administrator has chosen to disable it.

Among other things, Enhanced Security Configuration sets the security level for the Internet zone to high, disables automatic detection of intranet sites, disables install on demand and non-Microsoft browser extensions and disables multimedia content.

Users who have set up Windows Server 2003 in Terminal Services mode are the major user group most likely to have disabled Enhanced Security Configuration. In a Terminal Services environment, Enhanced Security Configuration must be disabled to allow users to use IE in unrestricted mode.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.