Microsoft Posts Critical Patch for IE Ahead of Regular Schedule

Microsoft on Wednesday released a security patch for the critical Internet Explorer flaw that was being exploited through compromised Web banner servers.

Microsoft considered the flaw, which has been public for about a month, important enough to release the patch ahead of its normal patching day, which falls on Dec. 14 this month.

Microsoft released the patch in security bulletin MS04-040, a cumulative patch for Internet Explorer that replaces a previous cumulative IE update included with MS04-038.

The flaw affects Internet Explorer 6.0, but not IE 5.0 or IE 5.5. Microsoft also says that IE 6.0 users are unaffected by the vulnerability if they have Windows XP Service Pack 2 installed or are using the version of the browser that shipped with Windows Server 2003.

The flaw results from an unchecked buffer in IE that processes certain HTML elements such as FRAME and IFRAME. The vulnerability has been referred to by others as the IFRAME vulnerability. Microsoft is officially calling the vulnerability the "HTML Elements Vulnerability."

If the victim is logged on as an administrator, an attacker can use the flaw to take complete control of the user's system over the Internet.

The security bulletin is available at

Microsoft's bulletin acknowledges that the vulnerability was publicly disclosed and was being exploited already. Most security bulletins from Microsoft and other vendors are the first public disclosure of a problem and give end users in effect a grace period of a day or two to test and apply the patch before attackers begin exploiting it.

Public reports of the IFRAME or HTML Elements vulnerability began appearing in early November. US-CERT posted a vulnerability note about the problem on Nov. 3. By Nov. 21, the security firm LURHQ documented several sites that were using the vulnerability to compromise end-user systems with adware and trojans. The group warned that banner ads were being used to exploit the flaw to compromise systems. "The sites … are being rotated frequently and are not just small, unknown sites -- one of the hacked sites included a well-known Hollywood film studio's website," a LURHQ statement said.

Underscoring the importance of the patch is that it is only the fourth time Microsoft has issued a patch outside of its monthly patching day since instituting the process more than a year ago. The other out-of-band releases also involved unpatched flaws in Internet Explorer that were being exploited by attackers.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • What Does Office 365 Support for New Surface Hardware Actually Mean?

    Microsoft has spilled a lot of ink touting the ways that its new Surface-branded peripherals will be bring Office 365 features to life.

  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.