News

Cumulative IE Patch for Critical Cookie Problem

Microsoft issued a cumulative patch for Internet Explorer in late March. It was the fourth cumulative patch in five months for the Web browser.

The most serious flaw this time is a critical vulnerability in the way IE handles cookies.

"A vulnerability in the zone determination function ... could allow a script embedded in a cookie to be run in the Local Computer zone," according to the bulletin. The only mitigating factor is that the script would run with the same rights as the user.

The bulletin addresses one other newly discovered bug. It is a vulnerability in the handling of object tags that could allow an attacker to invoke an executable already present on a user's machine.

That vulnerability would be much trickier for an attacker to exploit effectively.

The patch includes all existing fixes for IE 5.01, IE 5.5 and IE 6.0.

Descriptions of the new vulnerabilities and the cumulative patch for the problems can be found here:
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp.

Previous cumulative patches for Internet Explorer came out on Feb. 11, Dec. 13 and Nov. 13. Microsoft had issued two bulletins about critical security problems involving IE since the Feb. 11 cumulative patch.

A critical problem with Microsoft's XML Core Services, a component of Internet Explorer 6.0, Windows XP and SQL Server 2000, was patched on Feb. 21. The same day, Microsoft alerted users to a critical problem with the way IE handles VBScripts that could allow malicious Web page designers to read local files.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.