Unscheduled Security Update Fixes Critical IE Flaws

By Larry Seltzer  |  Posted 2004-07-30 Print this article Print

Microsoft issues a cumulative update that addresses three critical vulnerabilities related to graphics files and cross-domain execution.

Microsoft Corp., as predicted, issued on Friday an "out of sequence" security update for Internet Explorer that addresses three critical vulnerabilities. The security bulletin accompanying the updates, numbered MS04-025, addresses three vulnerabilities rated "critical" that could result in an attacker executing code in the context of a logged-on user. If the user is logged on as Administrator, the attack would have free reign over the system.

The first vulnerability, titled "Navigation Method Cross-Domain Vulnerability," could allow an attacker to execute arbitrary code in the Local Machine security zone. Microsoft reports that many factors can make this vulnerability more difficult to execute, including installing certain previous updates. Nevertheless, Symantec reports this as the most critical of the three vulnerabilities and that they have already seen exploits of it in the wild.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
The other two vulnerabilities are related to the browsers handling of image files. Both are buffer overflows in Internet Explorers handling of these files, one for BMP files and one for GIF files. Internet Explorer 6 Service Pack 1 and Windows Server 2003, both 32-bit and 64-bit editions, are not affected by the BMP file vulnerability.

The GIF buffer overrun affects all versions of Windows and Internet Explorer and results when the attacker attempts to free memory that has already been freed. The bulletin indicates that this is most likely a denial-of-service attack, but the potential exists for it to be used to execute arbitrary code.

Read all about Microsofts battle to deliver secure software in eWEEK.coms special report The update also "refines" certain updates that were made earlier in Internet Explorer 6 Service Pack 1 having to do with cross-domain protections. The bulletin says that the changes were in response to new potential problems that could result from the other updates.

The update replaces a previous update, MS04-004. If users have applied that patch and subsequently applied non-public hotfixes they may have to reapply them after applying the new cumulative update. Users should consult the bulletin and Microsoft support.

Users can obtain the update via Windows Update or through links in the bulletin.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel