‘Critical’ IE Patch in November Alert

Microsoft on Tuesday included three ‘critical’
security patches in its new monthly bulletin, including a cumulative update for Internet Explorer (IE), the world’s most popular Web browser.

The November alert, which is the second monthly update issued under
Microsoft’s plan
to release security patches on a monthly cycle, also includes a fix for
another ‘critical patch in the Windows Workstation service that could allow
harmful code execution.

According to the second monthly alert from the software giant, five newly discovered security holes
were detected in Internet Explorer that could allow remote code execution
and browser takeover.

The cumulative patch replaces the one that is provided in the MS03-040 update and affects IE running on Windows 98, Windows Millennium Edition, Windows NT Workstation, Windows NT Server Windows 2000, Windows XP (and XP Service Pack 1) and the newest Windows Server 2003.

The flaws affect Internet Explorer versions 5.01 through 6.0

Of the five new vulnerabilities, Microsoft said three involve the
cross-domain security model of Internet Explorer which keeps windows of
different domains from sharing information. “These vulnerabilities could
result in the execution of script in the My Computer zone,” the company
warned.

Microsoft said an attacker could host a malicious Web site containing
pages designed to exploit the cross-domain vulnerabilities to take over a
user’s machine. “An attacker who exploited one of these vulnerabilities
could access information from other Web sites, access files on a user’s
system, and run arbitrary code on a user’s system. This code would run in
the security context of the currently logged on user,” the company
warned.

Holes have also been plugged in the way that zone information is passed
to an XML object within Internet Explorer. This vulnerability could allow an
attacker to read local files on a user’s system.

A fifth vulnerability patched involved performing a drag-and-drop
operation during dynamic HTML events in the browser. “This
vulnerability could allow a file to be saved in a target location on the
user’s system if the user clicks a link. No dialog box would request that
the user approve this download,” according to the alert.

As with all previous cumulative patches for IE, Microsoft noted that the
update will cause the window.showHelp( ) control to no longer work if
the HTML Help update is not applied.

WINDOWS WORKSTATION FLAW

The November alert, which is the second monthly update issued under
Microsoft’s new plan
to release security patches on a monthly cycle, also includes a fix for
another ‘critical patch in the Windows Workstation service that could allow
harmful code execution.

Microsoft warned that a buffer overrun in the Workstation service could leave users of
Windows 2000 and Windows XP systems open to attack.

“If exploited, an attacker could gain System privileges on an affected
system, or could cause the Workstation service to fail. An attacker could
take any action on the system, including installing programs, viewing data,
changing data, or deleting data, or creating new accounts with full
privileges,” the company warned.

The company said users can protect themselves by blocking inbound UDP
ports 138, 139, 445 and TCP ports 138, 139, 445. Most firewalls, including
Internet Connection Firewall in Windows XP, block these ports by default.

A third critical advisory was issued to fix a buffer overflow flaw in Microsoft
FrontPage Server Extensions that could lead to remote code execution.

Affected software includes Windows 2000, Windows XP and Microsoft Office
XP.

The software giant explained that the MS03-051 bulletin fixes two newly
detected holes the FrontPage Server Extensions product. The first
vulnerability exists because of a buffer overrun in the remote debug
functionality of FrontPage Server Extensions while the second flaw could
lead to denial-of-service scenarios.

The company also issued an ‘important’ update to fix a vulnerability in the Word and Excel products that could allow code
execution.

Affected software include Excel 97, Excel 2000, Excel 2002, Word 97, Word
98, Word 2000, Works Suite 2001 Word 2002, Works Suite 2002, Works Suite
2003 and Works Suite 2004.

The latest fixes for older versions of Microsoft Word and Excel come on
the heels of a ‘critical’ security
update
issued earlier this month for the brand-new Office 2003 product
suite.

News Around the Web