Microsoft Goes Off-Cycle for ‘Critical’ IE Patch

Microsoft on Monday released an oft-delayed
cumulative patch to fix several known security holes in its flagship
Internet Explorer (IE) browser.

The software giant issued the IE fix outside of its scheduled release cycle because of the “critical” nature of the patch and because proof-of-concept exploits have been circulating on several mailing lists.

Microsoft said the IE update would eliminate three vulnerabilities, including a URL-spoofing flaw being exploited by scammers, a file download flaw that could lead to harmful code execution and a bug in the cross-domain security model of IE that could lead to system takeover.

Details of the URL-spoofing flaw have been circulating
for several months and, just last week, Microsoft explained that Monday’s IE patch could return
error messages
on Web sites that use clear text to authenticate user names and passwords.

The patch, which is applicable for users of IE versions 5.01, 5.5 and 6.0, also fixes a vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML events in the browser.

“This vulnerability could allow a file to be saved in a target location on the user’s system if the user clicked a link. No dialog box would request that the user approve this download,” Microsoft said, confirming an earlier
warning
it could be exploited to trick users into downloading
malicious files.

Ryan Naraine
Ryan Naraine is an eSecurity Planet, ServerWatch, and eWEEK contributor.

Top Products

Related articles