RealTime IT News

Microsoft Introduces New IE, Outlook Fixes

Microsoft late Wednesday introduced two new security patches which seal moderate flaws in versions 5.5. and 6.0 of its Internet Explorer browser and Outlook 2002.

The IE flaw exists in the software's cross-domain security model because the security checks that IE carries out when particular object caching techniques are used in Web pages are incomplete. This could allow a Web site in one domain access to information in another, including the user's PC.

The flaw enables perpetrators to read any file of users who employ IE versions 5.5 and 6.0 on their computers. The attacker could also invoke an executable that was already present on the local system. However, this is not as easy as it seems: the attacker would need to know the location of the command, and would not be able to pass parameters to it.

One major relief point is that attackers may not modify, add or delete files and on user's machine.

The new patch, which may be downloaded here is the latest in a string of such fix-me-ups for the IE browser, and is cumulative, meaning it covers all of the security bases supplied by previous patches for IE 5.5 and 6.0. To be sure, this patch supersedes the most recent one provided by the company last month.

As for the Outlook flaw, Microsoft said it is an e-mail header processing bug, which could cause a denial-of-service attack on a user's machine. A perpetrator could send a specially malformed e-mail to a user of Outlook 2002 that would cause the Outlook client to fail under certain circumstances.

The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook 2002 client would again function normally. The vulnerability is considered moderate because it could not be used to read, delete, create or alter the user's e-mail. Outlook 2002 clients using POP3, IMAP, or WebDAV protocols are vulnerable, but a patch to correct this flaw exists here.

Microsoft's new bulletins come a few weeks after the company pledged to chnage its security posting protocol to make the warnings less technical.