'Critical' IE Patch in November Alert

Microsoft on Tuesday included three 'critical' security patches in its new monthly bulletin, including a cumulative update for Internet Explorer (IE), the world's most popular Web browser.

The November alert, which is the second monthly update issued under Microsoft's plan to release security patches on a monthly cycle, also includes a fix for another 'critical patch in the Windows Workstation service that could allow harmful code execution.

According to the second monthly alert from the software giant, five newly discovered security holes were detected in Internet Explorer that could allow remote code execution and browser takeover.

The cumulative patch replaces the one that is provided in the MS03-040 update and affects IE running on Windows 98, Windows Millennium Edition, Windows NT Workstation, Windows NT Server Windows 2000, Windows XP (and XP Service Pack 1) and the newest Windows Server 2003.

The flaws affect Internet Explorer versions 5.01 through 6.0

Of the five new vulnerabilities, Microsoft said three involve the cross-domain security model of Internet Explorer which keeps windows of different domains from sharing information. "These vulnerabilities could result in the execution of script in the My Computer zone," the company warned.

Microsoft said an attacker could host a malicious Web site containing pages designed to exploit the cross-domain vulnerabilities to take over a user's machine. "An attacker who exploited one of these vulnerabilities could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user," the company warned.

Holes have also been plugged in the way that zone information is passed to an XML object within Internet Explorer. This vulnerability could allow an attacker to read local files on a user's system.

A fifth vulnerability patched involved performing a drag-and-drop operation during dynamic HTML events in the browser. "This vulnerability could allow a file to be saved in a target location on the user's system if the user clicks a link. No dialog box would request that the user approve this download," according to the alert.

As with all previous cumulative patches for IE, Microsoft noted that the update will cause the window.showHelp( ) control to no longer work if the HTML Help update is not applied.

WINDOWS WORKSTATION FLAW

The November alert, which is the second monthly update issued under Microsoft's new plan to release security patches on a monthly cycle, also includes a fix for another 'critical patch in the Windows Workstation service that could allow harmful code execution.

Microsoft warned that a buffer overrun in the Workstation service could leave users of Windows 2000 and Windows XP systems open to attack.

"If exploited, an attacker could gain System privileges on an affected system, or could cause the Workstation service to fail. An attacker could take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges," the company warned.

The company said users can protect themselves by blocking inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default.

A third critical advisory was issued to fix a buffer overflow flaw in Microsoft FrontPage Server Extensions that could lead to remote code execution.

Affected software includes Windows 2000, Windows XP and Microsoft Office XP.

The software giant explained that the MS03-051 bulletin fixes two newly detected holes the FrontPage Server Extensions product. The first vulnerability exists because of a buffer overrun in the remote debug functionality of FrontPage Server Extensions while the second flaw could lead to denial-of-service scenarios.

The company also issued an 'important' update to fix a vulnerability in the Word and Excel products that could allow code execution.

Affected software include Excel 97, Excel 2000, Excel 2002, Word 97, Word 98, Word 2000, Works Suite 2001 Word 2002, Works Suite 2002, Works Suite 2003 and Works Suite 2004.

The latest fixes for older versions of Microsoft Word and Excel come on the heels of a 'critical' security update issued earlier this month for the brand-new Office 2003 product suite.