In a surprise move, Microsoft has released an out-of-cycle patch for the recently
exposed IFRAME vulnerability
that affects non-Windows XP SP2 users.
Microsoft itself rated the vulnerability “critical” and is recommending that all
affected customers (which is everyone that isn’t running XP SP2) should install the patch
Just last week Microsoft denied
that it would be issuing a patch out of cycle for the recently discovered vulnerability.
Bulletin MS04-040, which the company issued along with the patch, includes a summary of
the scope and causes of the vulnerability that the new patch is intended to fix.
The summary attributes the cause of the vulnerability to, “An unchecked buffer in Internet
Explorer processing of certain HTML elements such as FRAME and IFRAME elements.” The standard
HTML elements are commonplace on tens of millions of sites.
A malicious user that exploited the vulnerability “could take
complete control of an affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts that have full privileges,” according to the bulletin.
On Nov. 2 security firm Secunia reported the discovery of the vulnerability and labeled
it the IFRAME Buffer Overflow “Vulnerability.” At the time they noted that it was caused due to a
boundary error in the handling of certain attributes in the IFRAME HTML tag. A day later,
a pair of security researchers
independently reported additional exploits utilizing the IFRAME tag.
The IFRAME vulnerability garnered further interest
when it was utilized in a combination attack with MyDoom to infect a number of popular
The out-of-cycle patch is also particularly noteworthy, because it is directed at non-Windows
XP SP2 users. Among those are users of the company’s older operating systems,
such as Windows 98, which are affected by the flaw. Microsoft has said in the past
(and notes in its security bulletin) that it would only issue critical updates (as necessary)
for the older systems.
That said, Windows XP SP2 users may still not be out of the woods. Variants of the so called
continue to proliferate. Late last week the Greyhats Security Group, which positions itself as a “research group,” posted
a new drag and drop proof of concept it dubbed “LongNameVuln.”