Microsoft Corp. on Wednesday issued patches for two new critical flaws in Internet Explorer.
The more dangerous of the two vulnerabilities results from IEs failure to properly check the object type that is returned from a Web server. It doesnt take much for an attacker to exploit this flaw; all thats needed is for a user on a vulnerable machine to visit an attackers Web site. The attacker would be able to compromise the PC without the user doing anything but calling up the site.
Once the computer is compromised, the attacker could run any code of choice on the machine.
The second issue is in IEs cross-domain security model. This model is what prevents windows in different domains from sharing information. A weakness in the model could enable an attacker to execute code in the My Computer zone. In order to exploit this vulnerability, an attacker would need a user to visit a malicious Web page, at which point the attacker could run a script on the users PC and cause the script to access data in a different domain.
The attacker would also be able to run executable files that are already on the vulnerable machine.
The cumub IE patch that fixes these flaws is located here. The vulnerabilities affect IE 5.01 through IE 6.0 for Windows Server 2003.
Microsoft, based in Redmond, Wash., also released a patch for a vulnerability in the Microsoft Data Access Components, versions 2.5-2.7. MDAC is used to provide connectivity to databases on Windows platforms, and is included by default in Windows ME, 2000, XP and Server 2003. However, the version in Windows Server 2003 isnt vulnerable to this problem.
When a client machine tries to see a list of the computers on a network that are running SQL Server, it sends a message to all of the devices on the network. Because of the weakness in MDAC, an attacker could send back a packet that would cause a buffer overrun.