News

Microsoft Posts Critical Patch for IE Ahead of Regular Schedule

• By Scott Bekker
• 12/01/2004

Microsoft considered the flaw, which has been public for about a month, important enough to release the patch ahead of its normal patching day, which falls on Dec. 14 this month.

Microsoft released the patch in security bulletin MS04-040, a cumulative patch for Internet Explorer that replaces a previous cumulative IE update included with MS04-038.

The flaw affects Internet Explorer 6.0, but not IE 5.0 or IE 5.5. Microsoft also says that IE 6.0 users are unaffected by the vulnerability if they have Windows XP Service Pack 2 installed or are using the version of the browser that shipped with Windows Server 2003.

The flaw results from an unchecked buffer in IE that processes certain HTML elements such as FRAME and IFRAME. The vulnerability has been referred to by others as the IFRAME vulnerability. Microsoft is officially calling the vulnerability the "HTML Elements Vulnerability."

If the victim is logged on as an administrator, an attacker can use the flaw to take complete control of the user's system over the Internet.

The security bulletin is available at www.microsoft.com/technet/security/bulletin/ms04-040.mspx.

Microsoft's bulletin acknowledges that the vulnerability was publicly disclosed and was being exploited already. Most security bulletins from Microsoft and other vendors are the first public disclosure of a problem and give end users in effect a grace period of a day or two to test and apply the patch before attackers begin exploiting it.

Public reports of the IFRAME or HTML Elements vulnerability began appearing in early November. US-CERT posted a vulnerability note about the problem on Nov. 3. By Nov. 21, the security firm LURHQ documented several sites that were using the vulnerability to compromise end-user systems with adware and trojans. The group warned that banner ads were being used to exploit the flaw to compromise systems. "The sites … are being rotated frequently and are not just small, unknown sites -- one of the hacked sites included a well-known Hollywood film studio's website," a LURHQ statement said.

Underscoring the importance of the patch is that it is only the fourth time Microsoft has issued a patch outside of its monthly patching day since instituting the process more than a year ago. The other out-of-band releases also involved unpatched flaws in Internet Explorer that were being exploited by attackers.