New Internet Explorer Patch Plugs Serious Security Holes

A new patch released Friday by Microsoft fixes a number of critical vulnerabilities in the browser and related products.

A new patch released Friday by Microsoft fixes a number of critical vulnerabilities in the browser and related products. One of the holes filled by the patch concerns a deficiency in a previous patch for which exploits have begun to appear. The vulnerabilities affect all versions of Internet Explorer since version 5.01, which is to say all versions that are supported and for which Microsoft is supplying such patches. A separate vulnerability also patched yesterday could allow an attacker to use Windows Media Player to construct an Internet Explorer attack.

Information about the patches are available at these locations:

The new patches are available at the following locations:

Most users should go to the Windows Update site (Tools-Windows Update in Internet Explorer) to apply the patches. The patches are labeled there as:

  • Security Update for Windows Media Player (KB828026)
  • October 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (KB828750)

One of the fixed problems could result in execution of arbitrary code simply by reading an e-mail message, so the problem is quite a serious one. Others would require that the attacker lure the victim to a web site and have them view a page containing the attack.

Discuss this in the eWEEK forum.