Microsoft Patches Critical IE Flaws
Latest News
SHARE
Facebook X Pinterest WhatsApp

Microsoft Patches Critical IE Flaws

Written By
Dennis Fisher
Dennis Fisher
Jun 4, 2003
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft Corp. on Wednesday released patches for two critical flaws in Internet Explorer that enable an attacker to run code on a vulnerable PC.

These two vulnerabilities are also the first to potentially affect the recently released Windows Server 2003 operating system. However, the new version of Windows blocks both of these attacks in its default configuration, according to Microsoft security executives.

The first vulnerability is a buffer overrun that results from IEs failure to properly determine an object type returned from a Web server. An attacker would be able to exploit this problem simply by having a user with a vulnerable machine visit a malicious Web site set up for this purpose. The user would not have to take any other actions once on the site.

The second vulnerability is a result of IE not implementing a block on a file download dialog box. Both vulnerabilities would allow the attacker to run code on the users machine.

The problems affect IE 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003. Microsoft executives say that the new security safeguards in Windows Server 2003 were designed specifically to prevent these kinds of attacks by default. Of course, customers often change the default configuration after installation.

“In the lock-down configuration, these vulnerabilities just dont fire,” said Steve Lipner, director of security engineering strategy at Microsoft, based in Redmond, Wash. “We did it to achieve this benefit. Thats a really significant thing.”

Most installations of the new OS wont have a Web browser running very often anyway, Lipner said, unless it is to download security fixes or other updates. “You dont typically use this server for normal Web browsing,” he said.

Microsoft officials have said that the first real test of its Trustworthy Computing initiative will be the security of its newest Windows release. They believe that if Windows Server 2003 shows real progress on security relative to older versions of Windows it will be a key validation for their effort.

And it wont be long before the first empirical evidence of that security is available. Lipner said Microsoft plans to release a comparison of the number of vulnerabilities found in Windows Server 2003 and older versions of the OS later this summer.

While the new patch is rated critical for all other versions of Windows, it is only a moderate risk for 2003 installations. The patch is available here.

Discuss this in the eWeek forum.
Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information