RealTime IT News

Microsoft Issues Cumulative Patch for IE

Microsoft Wednesday issued a cumulative patch for its Internet Explorer browser that also protects against several newly discovered vulnerabilities that it labeled as "critical."

Microsoft said the patch combines all the previously released patches for IE 5.01, 5.5 and 6.0 and also addresses several vulnerabilities that would allow an attacker to use a malicious Web site or specially-formed HTML email to access certain privileges on a user's computer.

The first new flaw patched involves the cross-domain security model of IE, which is intended to keep windows of different domains from sharing information. Microsoft said the flaw could allow an attacker to execute script in the user's My Computer zone, run an executable file already present on the local system, or view files on the computer.

To exploit the flaw, an attacker would have to host a malicious Web site that contained a page specifically designed to exploit the vulnerability, and then persuade a victim to visit the site. Once the user is on the site, Microsoft said the attacker could run malicious script by misusing the method IE uses to retrieve files from the browser cache, causing that script to access information in a different domain.

The second new vulnerability patched would allow an attacker to run arbitrary code on a user's system because Internet Explorer doesn't properly determine an object type returned from a Web server, Microsoft said. This vulnerability could be exploited either through convincing a user to visit a malicious Web site or through an HTML email.

The cumulative patch also sets the Kill Bit on the BR549.DLL ActiveX control, which was originally implemented to support the Windows Reporting Tool. IE no longer supports the tool, which has been found to contain a security vulnerability. The new patch prevents the control from running or from being reintroduced onto a user's system.

Microsoft has also used the cumulative patch to change the way IE renders HTML files, in order to address a flaw that could cause IE or Outlook Express to fail. Currently, IE does not properly render an input tag, Microsoft said, which would allow an attacker to craft a malicious Web site that would cause the browser to fail. The flaw would also allow an attacker to create a specially-formed HTML email that would cause Outlook Express to fail when the email is opened or previewed.

Finally, the patch modifies an earlier patch in order to cover specific languages.

Microsoft noted that, by default, Windows Server 2003 runs in Enhanced Security Configuration, which blocks these attacks. However, it warned that if Enhanced Security Configuration were disabled, the system would be open to these attacks.

The software titan also issued two separate patches on Wednesday, one for Microsoft Data Access Components (MDAC) and the other for Microsoft DirectX.

MDAC is a collection of components used to provide database connectivity on Windows platforms. The MDAC patch fixes a flaw that would allow an attacker to take a variety of actions, including executing code. The flaw affects MDAC 2.5 (included with Windows 2000, Office 2000 SR1 and later, and SQL Server 7.0 SP2 and later), MDAC 2.6 (included with SQL Server 2000), and MDAC 2.7 (included with Windows XP and Visual Studio .NET).

DirectX is a group of graphics technologies for video, 3D animation and audio applications. The DirectX patch fixes a flaw that could allow an attacker to run programs on a computer running Windows, after the user visits a malicious Web site or opens a malicious email.

The flaw affects DirectX 5.2 on Windows 98; DirectX 6.1 on Windows 98 SE; DirectX 7.0 on Windows 2000; DirectX 7.1 on Windows Millennium Edition; DirectX 8.0, 8.0a, 8.1, 8.1a and 8.1b on Windows 98, Windows 98 SE, Windows Me, Windows 2000, Windows XP or Windows Server 2003; DirectX 8.1 on Windows XP; DirectX 8.1 on Windows Server 2003; DirectX 9.0a on Windows 98, Windows 98 SE, Window Me, Windows 2000, Windows XP or Windows Server 2003; Windows NT Server 4.0 with either Windows Media Player 6.4 or Internet Explorer 6 SP1; Windows NT Server 4.0, Terminal Server Edition, with either Windows Media Player 6.4 or IE 6 SP1.