Microsoft rushes out critical IE fix

by Guest Contributor | Dec 02, 2004 2:45:00 PM

Tags: Guest Contributor

Takeaway: Departing from schedule, the company patches a month-old security hole in the browser software that had spawned attacks.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
CNET News.com

Microsoft published a patch for Internet Explorer on Wednesday, aiming to close a month-old hole that has been used by viruses to spread and by an ad banner attack to compromise PCs.

The vulnerability, dubbed the Internet Explorer Elements flaw by Microsoft, had previously been called the iFrame vulnerability. The issue--which does not affect Microsoft's major Windows XP security update, Service Pack 2--could allow an attacker to take control of a victim's PC, if the user is logged on as an administrator. Most home users tend to log onto Windows as administrators.

A Microsoft representative said the software giant had released the update before its next scheduled patch day, Dec. 7, because it had already been used by malicious software to compromise Windows users' PCs.

"That's one of the things that we factor in--when the customers are affected or there are active attacks," said Stephen Toulouse, security program manager at Microsoft's security response center.

An attacker can use the vulnerability to gain control of a person's computer when the victim clicks on a simple Web link. The attacker would then have complete control of the system, and could install programs, view, modify or delete data and create new accounts.

The patch arrived more than a month after news of the vulnerability was first posted on public security mailing lists. The move garnered criticism from Microsoft, which has led a drive to convince security researchers to give software makers at least 30 days to fix issues before outing the problem in public forums.

The IE flaw underscores that online criminals are all too willing to use the latest vulnerabilities to take illicit control of users' PCs.

Two computer viruses appeared on the Internet in early November, using the vulnerability in Microsoft's browser to infect PCs after their users clicked on a simple Web link. The viruses, called Bofra.A and Bofra.B by antivirus companies, were loosely based on the source code of MyDoom.

In addition, online intruders breached the security of at least one server at advertising host Falk last week and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.

The IE Elements flaw affects PCs with IE version 6 installed, but does not affect computers that have been upgraded to Service Pack 2. The software, the latest version of Windows XP, has been downloaded more than 130 million times, Microsoft's Toulouse said.

The latest update for IE 6 can be downloaded from Microsoft's security site or through Windows Update.

Print/View all Posts Comments on this article

Microsoft releases a critical IE fixNewsletter Editor  | 12/02/04

Microsoft's decision to release this update bef...The Admiral  | 12/02/04

agreedapotheon  | 12/02/04

MS needs to make security a real priorityAcesKaraoke  | 12/15/04

Hopefully a wise choice & not a new habitdafe2  | 12/02/04

Is anyone surprised?krussell  | 12/03/04

Agree...........howeverdafe2  | 12/03/04

not soapotheon  | 12/03/04

Firefox already has nine holesdafe2  | 12/04/04

Strength?apotheon  | 12/04/04

Should read had nine holes?AcesKaraoke  | 12/15/04

AcesKaraoke & Should read nine holesdafe2  | 12/17/04

security for codeapotheon  | 12/17/04

Re: Security for codedafe2  | 12/17/04

problems with ActiveXapotheon  | 12/17/04

Re: Tudedafe2  | 12/18/04

fair 'nuffapotheon  | 12/18/04

What kind of tobaccy???richards_unsubcribe@...  | 12/03/04

Been there Done thatdafe2  | 12/04/04

check back in a yearapotheon  | 12/04/04

Well since the patch only applied toHAL 9000  | 12/05/04

What issues?dafe2  | 12/05/04

Well as you obviously are incapable of reading EnglishHAL 9000  | 12/05/04

for examplesapotheon  | 12/05/04

A very common thing to happen withHAL 9000  | 12/05/04

Unfortunately . . .apotheon  | 12/05/04

Well I was talking relativelyHAL 9000  | 12/06/04

reply to HAL 9000apotheon  | 12/06/04

Funny you should ask that questionHAL 9000  | 12/06/04

Very Nicedafe2  | 12/06/04

you're welcomeapotheon  | 12/06/04

Huhrichards_unsubcribe@...  | 12/06/04

Hmm. . . .apotheon  | 12/06/04

Well if it was MSHAL 9000  | 12/06/04

3700 Workstations in NB?richards_unsubcribe@...  | 12/06/04

3700 Workstations in NB?richards_unsubcribe@...  | 12/06/04

Can't fix it......Slam Microsoft..............Of course!dafe2  | 12/07/04

Well as we where following MS directivesHAL 9000  | 12/08/04

Just for your informationHAL 9000  | 12/13/04

Reply To FYIdafe2  | 12/14/04

licensesapotheon  | 12/14/04

Apotheon:dafe2  | 12/15/04

to: dafe2, re: bird trainingapotheon  | 12/15/04

Apotheon Re Flying.....Make that wadledafe2  | 12/15/04

Other Linux Alternativelgarner@...  | 12/17/04

Hello Beachcomberdafe2  | 12/07/04

And the Original MS Posting isHAL 9000  | 12/06/04

Amazing.apotheon  | 12/06/04

Hotel California SolutionBFilmFan  | 12/06/04

Yikes!apotheon  | 12/06/04

Too appropriateAcesKaraoke  | 12/15/04

Actually it is one of Microsoft'sHAL 9000  | 12/06/04

certainlyapotheon  | 12/06/04

Interesting & Replydafe2  | 12/08/04

Not a problemHAL 9000  | 12/08/04

In answer to your Microsoft Accounting.......dafe2  | 12/09/04

Actually that was my first thoughts as well.HAL 9000  | 12/09/04