News

Critical IE Patches Released

Microsoft released a cumulative patch fixing three critical vulnerabilities for Internet Explorer on Monday night.

The patch includes fixes for six new vulnerabilities, although three represent only a moderate risk, and rolls together fixes for all previous IE vulnerabilities.

The new vulnerabilities affect IE 5.01, IE 5.5 and IE 6.0. Microsoft does not support versions of IE earlier than IE 5.01 with Service Pack 2.

"Customers using an affected version of IE should install the patch immediately," Microsoft recommends.

The most serious new vulnerability could allow an attacker to run code on a user's system. It involves a buffer overrun vulnerability in an HTML directive that is supposed to be used to incorporate a document within a Web page. The problem affects IE versions 5.5 and 6.0 but not IE 5.01.

The two other critical vulnerabilities affect all three versions of the browser. In one, a scripting function called GetObject can be abused by a Web page to read files on a visiting user's machine.

The other is a variant of the "Frame Domain Verification" vulnerability of Microsoft Security Bulletin MS01-058. This vulnerability also involves a malicious Web site operator reading files from a user's local computer and enables URL spoofing.

Patches for other newly discovered vulnerabilities include a file download dialogue spoofing problem, an application invocation via content-type fields and a script execution.

The Security bulletin can be read here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-005.asp.

The patch can be downloaded here: http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp.

Installation requires a restart, and the patch cannot be uninstalled.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Google Goes Live with Managed Service for Microsoft Active Directory

    Google's Managed Service for Microsoft Active Directory is now a "generally available" service, according to a Thursday Google announcement.

  • Dell Sells RSA Assets for $2 Billion

    Dell's RSA security solutions businesses, including the RSA Conference, were bought by a consortium of companies for about $2 billion, according to Tuesday announcements.

  • How To Get Started as a Windows Insider

    Microsoft's Windows Insider program is invaluable for IT pros who want to test drive new Windows 10 features before the update rolls out to their entire organization. If you haven't already signed up to be an Insider, here's how to do it.

  • Old Fashioned Mics

    Microsoft Preps for RSA Conference with Multiple Security Product Announcements

    Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.