Microsoft Posts Critical Patch for IE Ahead of Regular Schedule

Microsoft on Wednesday released a security patch for the critical Internet Explorer flaw that was being exploited through compromised Web banner servers.

Microsoft considered the flaw, which has been public for about a month, important enough to release the patch ahead of its normal patching day, which falls on Dec. 14 this month.

Microsoft released the patch in security bulletin MS04-040, a cumulative patch for Internet Explorer that replaces a previous cumulative IE update included with MS04-038.

The flaw affects Internet Explorer 6.0, but not IE 5.0 or IE 5.5. Microsoft also says that IE 6.0 users are unaffected by the vulnerability if they have Windows XP Service Pack 2 installed or are using the version of the browser that shipped with Windows Server 2003.

The flaw results from an unchecked buffer in IE that processes certain HTML elements such as FRAME and IFRAME. The vulnerability has been referred to by others as the IFRAME vulnerability. Microsoft is officially calling the vulnerability the "HTML Elements Vulnerability."

If the victim is logged on as an administrator, an attacker can use the flaw to take complete control of the user's system over the Internet.

The security bulletin is available at

Microsoft's bulletin acknowledges that the vulnerability was publicly disclosed and was being exploited already. Most security bulletins from Microsoft and other vendors are the first public disclosure of a problem and give end users in effect a grace period of a day or two to test and apply the patch before attackers begin exploiting it.

Public reports of the IFRAME or HTML Elements vulnerability began appearing in early November. US-CERT posted a vulnerability note about the problem on Nov. 3. By Nov. 21, the security firm LURHQ documented several sites that were using the vulnerability to compromise end-user systems with adware and trojans. The group warned that banner ads were being used to exploit the flaw to compromise systems. "The sites … are being rotated frequently and are not just small, unknown sites -- one of the hacked sites included a well-known Hollywood film studio's website," a LURHQ statement said.

Underscoring the importance of the patch is that it is only the fourth time Microsoft has issued a patch outside of its monthly patching day since instituting the process more than a year ago. The other out-of-band releases also involved unpatched flaws in Internet Explorer that were being exploited by attackers.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.