Microsoft Corp., as predicted, issued on Friday an “out of sequence” security update for Internet Explorer that addresses three critical vulnerabilities.
The security bulletin accompanying the updates, numbered MS04-025, addresses three vulnerabilities rated “critical” that could result in an attacker executing code in the context of a logged-on user. If the user is logged on as Administrator, the attack would have free reign over the system.
The first vulnerability, titled “Navigation Method Cross-Domain Vulnerability,” could allow an attacker to execute arbitrary code in the Local Machine security zone. Microsoft reports that many factors can make this vulnerability more difficult to execute, including installing certain previous updates. Nevertheless, Symantec reports this as the most critical of the three vulnerabilities and that they have already seen exploits of it in the wild.
The other two vulnerabilities are related to the browsers handling of image files. Both are buffer overflows in Internet Explorers handling of these files, one for BMP files and one for GIF files. Internet Explorer 6 Service Pack 1 and Windows Server 2003, both 32-bit and 64-bit editions, are not affected by the BMP file vulnerability.
The GIF buffer overrun affects all versions of Windows and Internet Explorer and results when the attacker attempts to free memory that has already been freed. The bulletin indicates that this is most likely a denial-of-service attack, but the potential exists for it to be used to execute arbitrary code.
The update also “refines” certain updates that were made earlier in Internet Explorer 6 Service Pack 1 having to do with cross-domain protections. The bulletin says that the changes were in response to new potential problems that could result from the other updates.
The update replaces a previous update, MS04-004. If users have applied that patch and subsequently applied non-public hotfixes they may have to reapply them after applying the new cumulative update. Users should consult the bulletin and Microsoft support.
Users can obtain the update via Windows Update or through links in the bulletin.