A new patch released Friday by Microsoft fixes a number of critical vulnerabilities in the browser and related products. One of the holes filled by the patch concerns a deficiency in a previous patch for which exploits have begun to appear. The vulnerabilities affect all versions of Internet Explorer since version 5.01, which is to say all versions that are supported and for which Microsoft is supplying such patches. A separate vulnerability also patched yesterday could allow an attacker to use Windows Media Player to construct an Internet Explorer attack.
Information about the patches are available at these locations:
- For End Users: What You Should Know About Microsoft Security Bulletin MS03-040 (828750)
- More Technical Information: Microsoft Security Bulletin MS03-040 - Cumulative Patch for Internet Explorer (828750)
The new patches are available at the following locations:
- For all versions except Microsoft Internet Explorer 6.0 for Windows Server 2003
- For Microsoft Internet Explorer 6.0 on Windows Server 2003
Most users should go to the Windows Update site (Tools-Windows Update in Internet Explorer) to apply the patches. The patches are labeled there as:
- Security Update for Windows Media Player (KB828026)
- October 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (KB828750)
One of the fixed problems could result in execution of arbitrary code simply by reading an e-mail message, so the problem is quite a serious one. Others would require that the attacker lure the victim to a web site and have them view a page containing the attack.
Discuss this in the eWEEK forum.