News

Microsoft Releases Cumulative Patch for IE

Microsoft Corp. on Tuesday released a cumulative patch for Internet Explorer (IE) versions 5.x and 6.0. The patch fixes all known IE issues -– and addresses three new vulnerabilities, as well.

The patch fixes a serious vulnerability that is exposed by the way in which IE handles cookies – and which could disclose a user’s private information to unauthorized third-parties. Microsoft acknowledged the presence of a bug in a security bulletin that it distributed last week to members of its security mailing list. In lieu of a patch, Microsoft at the time offered a temporary work-around that involved disabling IE’s Active Scripting facility.

The software giant said that the cumulative patch addresses all known IE issues – including a spate of bugs that Microsoft patched only last month -– as well as three newly-discovered vulnerabilities, all of which appear to be variations on existing problems.

For example, Microsoft confirmed that two of the new issues are made possible by flaws in the way IE handles cookies, although it stressed that the “underlying flaws” which expose the vulnerabilities in the first place are “completely unrelated.” The software giant acknowledged that an attacker who successfully exploits either vulnerability could, again, gain access to private information stored in a user’s cookies.

The third and final new vulnerability is related to the way in which IE handles URLs that include so-called “dotless” IP addresses. Dotless IP addresses –- which are commonly used by spammers -- are 32 bit numbers that resolve into equivalent dotted IP formats. Microsoft originally patched problems with IE’s dotless IP address handling capabilities in October 2001 and in October 1998.

Because of the way in which IE handles dotless IP addresses, Microsoft said that it’s possible that a malicious attacker could contrive (by virtue of a URL sent via e-mail or embedded within a Web page, for example) to entice a user to click on a malformed dotless IP address, which would then trick IE into opening the site in its less secure “Intranet” zone context.

The new IE patch rates a “moderate” across the board (for Internet-facing, intranet-based and client-only systems) according to Microsoft’s new security bulletin rating system. Nevertheless, the software giant encouraged customers to apply the patch to all supported systems. The patch is available here.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Clarifies Project Cortex's Scope, IT Controls and Product Delivery in Q&A

    Microsoft recently offered a Q&A session on Project Cortex, its emerging "knowledge network" solution for Microsoft 365 users.

  • How To Use .CSV Files with PowerShell, Part 2

    In the second part of this series, Brien shows how to import a .CSV file into a PowerShell array, including two methods for zooming in on just the specific data you need and filtering out the rest.

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.