Microsoft Introduces New IE, Outlook Fixes

Microsoft late
Wednesday introduced two new security patches which seal moderate flaws in
versions 5.5. and 6.0 of its Internet Explorer browser and Outlook 2002.


The IE flaw exists in the software’s cross-domain security model because the
security checks that IE carries out when particular object caching
techniques are used in Web pages are incomplete. This could allow a Web site
in one domain access to information in another, including the user’s PC.


The flaw enables perpetrators to read any file of users who employ IE
versions 5.5 and 6.0 on their computers. The attacker could also invoke an
executable that was already present on the local system. However, this is
not as easy as it seems: the attacker would need to know the location of the
command, and would not be able to pass parameters to it.


One major relief point is that attackers may not modify, add or delete files
and on user’s machine.


The new patch, which may be downloaded here is the latest in a string of such fix-me-ups for the IE
browser, and is cumulative, meaning it covers all of the security bases
supplied by previous patches for IE 5.5 and 6.0. To be sure, this patch
supersedes the most recent one provided by the company last
month
.


As for the Outlook flaw, Microsoft said it is an e-mail header processing
bug, which could cause a denial-of-service
attack on a user’s machine. A perpetrator could
send a specially malformed e-mail to a user of Outlook 2002 that would cause
the Outlook client to fail under certain circumstances.


The e-mail message could be deleted by an e-mail administrator, or by the
user via another e-mail client such as Outlook Web Access or Outlook
Express, after which point the Outlook 2002 client would again function
normally. The vulnerability is considered moderate because it could not be
used to read, delete, create or alter the user’s e-mail. Outlook 2002
clients using POP3, IMAP, or WebDAV protocols are vulnerable, but a patch to
correct this flaw exists here.


Microsoft’s new bulletins come a few
weeks
after the company pledged to chnage its security posting protocol
to make the warnings less technical.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web