News

Microsoft Releases Cumulative Patch for IE

Microsoft Corp. on Tuesday released a cumulative patch for Internet Explorer (IE) versions 5.x and 6.0. The patch fixes all known IE issues -– and addresses three new vulnerabilities, as well.

The patch fixes a serious vulnerability that is exposed by the way in which IE handles cookies – and which could disclose a user’s private information to unauthorized third-parties. Microsoft acknowledged the presence of a bug in a security bulletin that it distributed last week to members of its security mailing list. In lieu of a patch, Microsoft at the time offered a temporary work-around that involved disabling IE’s Active Scripting facility.

The software giant said that the cumulative patch addresses all known IE issues – including a spate of bugs that Microsoft patched only last month -– as well as three newly-discovered vulnerabilities, all of which appear to be variations on existing problems.

For example, Microsoft confirmed that two of the new issues are made possible by flaws in the way IE handles cookies, although it stressed that the “underlying flaws” which expose the vulnerabilities in the first place are “completely unrelated.” The software giant acknowledged that an attacker who successfully exploits either vulnerability could, again, gain access to private information stored in a user’s cookies.

The third and final new vulnerability is related to the way in which IE handles URLs that include so-called “dotless” IP addresses. Dotless IP addresses –- which are commonly used by spammers -- are 32 bit numbers that resolve into equivalent dotted IP formats. Microsoft originally patched problems with IE’s dotless IP address handling capabilities in October 2001 and in October 1998.

Because of the way in which IE handles dotless IP addresses, Microsoft said that it’s possible that a malicious attacker could contrive (by virtue of a URL sent via e-mail or embedded within a Web page, for example) to entice a user to click on a malformed dotless IP address, which would then trick IE into opening the site in its less secure “Intranet” zone context.

The new IE patch rates a “moderate” across the board (for Internet-facing, intranet-based and client-only systems) according to Microsoft’s new security bulletin rating system. Nevertheless, the software giant encouraged customers to apply the patch to all supported systems. The patch is available here.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.