News

Two Critical Vulnerabilities in IE

Two critical vulnerabilities in Internet Explorer 5.01, 5.5 and 6.0 could allow code execution. Microsoft released a cumulative patch on Wednesday for Internet Explorer that fixes the flaws.

Like many flaws in IE, the newly patched bugs would require an attacker to send a specially malformed HTML e-mail or lure a user to a malformed Web page. Code execution under the flaws only runs under the privilege of the user.

The first flaw is a buffer overrun vulnerability that results because IE does not properly determine an object type returned by a server, Microsoft says. The second flaw exists because IE fails to put an appropriate block on a file download dialog box.

The patch requires a reboot, and it can be uninstalled. It can be found here:
www.microsoft.com/technet/security/bulletin/MS03-020.asp.

While the flaw can affect IE 6.0 in Windows Server 2003, a new default security setting called Enhanced Security Configuration effectively blocks the flaw unless an administrator has chosen to disable it.

Among other things, Enhanced Security Configuration sets the security level for the Internet zone to high, disables automatic detection of intranet sites, disables install on demand and non-Microsoft browser extensions and disables multimedia content.

Users who have set up Windows Server 2003 in Terminal Services mode are the major user group most likely to have disabled Enhanced Security Configuration. In a Terminal Services environment, Enhanced Security Configuration must be disabled to allow users to use IE in unrestricted mode.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Azure AD Enhancements Bring Expanded Support for Auto-Provisioned SaaS Apps

    Microsoft announced a number of Azure Active Directory enhancements this month.

  • What's Behind Microsoft's Sudden Teams Push?

    As Skype for Business slowly gets phased out and Slack's enterprise dominance becomes less of a sure thing, the time is right for Microsoft to focus its marketing energies on its upstart collaboration tool.

  • Microsoft Releases PowerShell 7 Preview 3

    Microsoft announced on Wednesday that the PowerShell 7 Preview 3 scripting solution is now available.

  • SQL Server 2019 Release Candidate Now Available

    Microsoft on Wednesday announced the release of SQL Server 2019 release candidate (RC).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.