Microsoft to Cover IE Exploit

A fix for a widely exploited flaw in Internet Explorer is among five security patches Microsoft told users to expect next week.

Following weeks of speculation whether the CreateTextRange vulnerability would force the software giant to break from tradition
and release a special patch, Microsoft said Thursday the patch is among
four others slated for April 11.

The company expects to release five security patches: four (including
one deemed “critical”) affect the Windows operating system and one
addresses a “moderate” vulnerability in Microsoft Office.

“One of the updates will be a cumulative Internet Explorer update
that addresses the publicly known ‘CreateTextRange’ vulnerability,”
Microsoft wrote in an advance notification.

The official patch follows a
series of third-party fixes unveiled by security firms as a temporary solution.

While Microsoft doesn’t reveal details of upcoming security updates,
the company did say next week’s release will include a
“compatibility patch” providing developers a 60-day reprieve from
changes made to how IE processes ActiveX controls.

The compatibility software would forestall a permanent change to IE
brought after Microsoft lost a 2003 lawsuit to Eolas.

Microsoft planned to update IE requiring users to manually enable ActiveX
controls encountered on Web pages. The patch gives developers until June
to test their Web applications for compatibility with the proposed IE

Security vendors, upset over Microsoft’s reluctance to break from its
monthly security patch cycle, released several third-party patches to
provide immediate cures for their customers.

The episode left onlookers
questioning both the wisdom of applying unofficial fixes and Microsoft’s
slow response.

News Around the Web