News

Two Critical Vulnerabilities in IE

Two critical vulnerabilities in Internet Explorer 5.01, 5.5 and 6.0 could allow code execution. Microsoft released a cumulative patch on Wednesday for Internet Explorer that fixes the flaws.

Like many flaws in IE, the newly patched bugs would require an attacker to send a specially malformed HTML e-mail or lure a user to a malformed Web page. Code execution under the flaws only runs under the privilege of the user.

The first flaw is a buffer overrun vulnerability that results because IE does not properly determine an object type returned by a server, Microsoft says. The second flaw exists because IE fails to put an appropriate block on a file download dialog box.

The patch requires a reboot, and it can be uninstalled. It can be found here:
www.microsoft.com/technet/security/bulletin/MS03-020.asp.

While the flaw can affect IE 6.0 in Windows Server 2003, a new default security setting called Enhanced Security Configuration effectively blocks the flaw unless an administrator has chosen to disable it.

Among other things, Enhanced Security Configuration sets the security level for the Internet zone to high, disables automatic detection of intranet sites, disables install on demand and non-Microsoft browser extensions and disables multimedia content.

Users who have set up Windows Server 2003 in Terminal Services mode are the major user group most likely to have disabled Enhanced Security Configuration. In a Terminal Services environment, Enhanced Security Configuration must be disabled to allow users to use IE in unrestricted mode.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.