Microsoft has issued a patch, out of its normal security patch cycle, for a critical bug in Internet Explorer versions from 6.0 up to but not including Windows XP Service Pack 2 (SP2).
According to the advisory issued by Microsoft, the bug could allow remote code execution on an affected system.
The advisory also states that this patch, MS04-040, supercedes and replaces an earlier cumulative update, MS04-038.
But it may not contain hotfixes that were issued since the release of MS04-038, so users who have received hotfixes from Microsoft or another support provider should instead follow separate instructions in Knowledge Base article 889669.
The vulnerability is a buffer overflow in the handling of IFRAME and EMBED tags. By providing oversized source fields for those tags, an attacker could potentially execute arbitrary code on the users system.
Normally, one would be subject to attack by browsing a Web page that has the attack built into it, but with very old, unpatched e-mail clients, it is also possible to be compromised through HTML e-mail.
Both Windows XP SP2 and Windows Server 2003 are unaffected by the bug, as are 5.x versions of Internet Explorer. Patches are available for Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98.
Not long after the IE vulnerability details were made public, it was discovered that certain ad servers had been compromised by hackers to deliver the attack to users.
The vulnerabilitys severity is underscored by the fact that this is only the second time that Microsoft has issued an out-of-cycle security patch since it instituted its monthly patch cycles in November 2003. The first out-of-cycle patch, in February, addressed a group of serious Internet Explorer problems.
The incident with the compromised ad servers was not the only exploit of this problem since it was revealed in early November. “There have been several worms and Trojans that have attacked computers vulnerable to this bug over the last few weeks, so its encouraging to see Microsoft go out of cycle to address it,” said Ken Dunham, director of malicious code at security firm iDefense Inc.
A major motivation behind introducing a regular monthly patch cycle was to allow administrators to plan for patching in an organized, informed manner. Just recently, Microsoft began giving advance notice—three business days in advance of patch day—of the number of patches involved and the products affected, in order to enhance that ability to plan.
But this particular vulnerability is serious enough that other plans may get shelved. “Administrators will be looking to test and deploy this patch as soon as its feasible,” Dunham said.
Also today, Microsoft is making a change to Windows Update for three previously released security updates. Microsoft discovered that customers running Windows XP SP1 have not been offered the updates that apply to their computers from the October monthly release.
Microsoft attributed this to the fact that these updates are already included in Windows XP SP2, and this is the update that Windows Update and Automatic Updates presents to these users.
The company said it continues to encourage customers to install Windows XP SP2, but it is making the October updates available Wednesday to all Windows XP SP1 users to help ensure that they are protected in the meantime.
Editors Note: This story was updated to include comments from iDefense and further details.