Microsoft Issues 'Critical' IE Patch

Another 'critical' cumulative patch is issued for Internet Explorer versions 5.01, 5.5, 6.0.Problematic Windows NT Patch Pulled


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted February 5, 2003

Ryan Naraine

Ryan Naraine

For the third time in as many months, Microsoft has issued a cumulative patch for its flagship Internet Explorer browser, warning that two newly discovered vulnerabilities involving the cross-domain security model should be considered "critical."

A security advisory from Microsoft said the latest IE fix includes the functionality of all previously released patches for Internet Explorer versions 5.01, 5.5, 6.0.

The latest bugs, detected by Swedish researcher Andreas Sandblad, affected the browser's cross-domain security model which keeps windows of different domains from sharing information. "These flaws results in Internet Explorer because incomplete security checking causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes," the company warned.

To exploit the holes, an attacker would have to host a malicious web page aimed at this particular vulnerability and then persuade an IE user to visit that site. "Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misusing a dialog box and cause that script to access information in a different domain," Microsoft explained.

"In the worst case, this could enable the web site operator to load malicious code onto a user's system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system," it cautioned.

Separately, Microsoft's 5th advisory this year warned that the Windows Redirector on Windows XP contains an unchecked buffer vulnerability that could lead to denial-of-service.

That flaw, rated as "important" could also allow an intruder to execute harmful code if data was crafted in a particular way. A patch to fix the Windows Redirector problem was also posted.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.