Microsoft Issues Cumulative Patch for IE

Microsoft Wednesday issued a cumulative patch for its Internet Explorer browser that also protects against several newly discovered vulnerabilities that it labeled as “critical.”

Microsoft said the patch combines all the previously released patches for IE 5.01, 5.5 and 6.0 and also addresses several vulnerabilities that would allow an attacker to use a malicious Web site or specially-formed HTML email to access certain privileges on a user’s computer.

The first new flaw patched involves the cross-domain security model of IE, which is intended to keep windows of different domains from sharing
information. Microsoft said the flaw could allow an attacker to execute
script in the user’s My Computer zone, run an executable file already
present on the local system, or view files on the computer.


To exploit the flaw, an attacker would have to host a malicious Web site
that contained a page specifically designed to exploit the vulnerability,
and then persuade a victim to visit the site. Once the user is on the site,
Microsoft said the attacker could run malicious script by misusing the
method IE uses to retrieve files from the browser cache, causing that
script to access information in a different domain.

The second new vulnerability patched would allow an attacker to run
arbitrary code on a user’s system because Internet Explorer doesn’t
properly determine an object type returned from a Web server, Microsoft
said. This vulnerability could be exploited either through convincing a
user to visit a malicious Web site or through an HTML email.


The cumulative patch also sets the Kill Bit on the BR549.DLL ActiveX
control, which was originally implemented to support the Windows Reporting
Tool. IE no longer supports the tool, which has been found to contain a
security vulnerability. The new patch prevents the control from running or
from being reintroduced onto a user’s system.

Microsoft has also used the cumulative patch to change the way IE renders
HTML files, in order to address a flaw that could cause IE or Outlook
Express to fail. Currently, IE does not properly render an input tag,
Microsoft said, which would allow an attacker to craft a malicious Web site
that would cause the browser to fail. The flaw would also allow an attacker
to create a specially-formed HTML email that would cause Outlook Express to
fail when the email is opened or previewed.

Finally, the patch modifies an earlier patch in order to cover specific
languages.


Microsoft noted that, by default, Windows Server 2003 runs in Enhanced
Security Configuration, which blocks these attacks. However, it warned that
if Enhanced Security Configuration were disabled, the system would be open
to these attacks.

The software titan also issued two separate patches on Wednesday, one for
Microsoft Data Access Components (MDAC) and the other for Microsoft
DirectX.

MDAC is a collection of components used to provide database connectivity on
Windows platforms. The MDAC patch fixes a flaw that would allow an attacker
to take a variety of actions, including executing code. The flaw affects
MDAC 2.5 (included with Windows 2000, Office 2000 SR1 and later, and SQL
Server 7.0 SP2 and later), MDAC 2.6 (included with SQL Server 2000), and
MDAC 2.7 (included with Windows XP and Visual Studio .NET).

DirectX is a group of graphics technologies for video, 3D animation and
audio applications. The DirectX patch fixes a flaw that could allow an
attacker to run programs on a computer running Windows, after the user
visits a malicious Web site or opens a malicious email.

The flaw affects DirectX 5.2 on Windows 98; DirectX 6.1 on Windows 98 SE;
DirectX 7.0 on Windows 2000; DirectX 7.1 on Windows Millennium Edition;
DirectX 8.0, 8.0a, 8.1, 8.1a and 8.1b on Windows 98, Windows 98 SE, Windows
Me, Windows 2000, Windows XP or Windows Server 2003; DirectX 8.1 on Windows
XP; DirectX 8.1 on Windows Server 2003; DirectX 9.0a on Windows 98, Windows
98 SE, Window Me, Windows 2000, Windows XP or Windows Server 2003; Windows
NT Server 4.0 with either Windows Media Player 6.4 or Internet Explorer 6
SP1; Windows NT Server 4.0, Terminal Server Edition, with either Windows
Media Player 6.4 or IE 6 SP1.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web