Emergency IE Patch Fixes Critical Bug

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Updated: Microsoft's out-of-cycle patch for the Internet Explorer browser addresses the "IFRAME" bug that had already been exploited by hackers through ad servers.

Microsoft has issued a patch, out of its normal security patch cycle, for a critical bug in Internet Explorer versions from 6.0 up to but not including Windows XP Service Pack 2 (SP2).

According to the advisory issued by Microsoft, the bug could allow remote code execution on an affected system.

The bug was publicly reported in early November. Patches may be obtained from links on the advisory page.

The advisory also states that this patch, MS04-040, supercedes and replaces an earlier cumulative update, MS04-038.

But it may not contain hotfixes that were issued since the release of MS04-038, so users who have received hotfixes from Microsoft or another support provider should instead follow separate instructions in Knowledge Base article 889669.

The vulnerability is a buffer overflow in the handling of IFRAME and EMBED tags. By providing oversized source fields for those tags, an attacker could potentially execute arbitrary code on the user's system.

Normally, one would be subject to attack by browsing a Web page that has the attack built into it, but with very old, unpatched e-mail clients, it is also possible to be compromised through HTML e-mail.

Both Windows XP SP2 and Windows Server 2003 are unaffected by the bug, as are 5.x versions of Internet Explorer. Patches are available for Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98.

Not long after the IE vulnerability details were made public, it was discovered that certain ad servers had been compromised by hackers to deliver the attack to users.

The vulnerability's severity is underscored by the fact that this is only the second time that Microsoft has issued an out-of-cycle security patch since it instituted its monthly patch cycles in November 2003. The first out-of-cycle patch, in February, addressed a group of serious Internet Explorer problems.

The incident with the compromised ad servers was not the only exploit of this problem since it was revealed in early November. "There have been several worms and Trojans that have attacked computers vulnerable to this bug over the last few weeks, so it's encouraging to see Microsoft go out of cycle to address it," said Ken Dunham, director of malicious code at security firm iDefense Inc.

A major motivation behind introducing a regular monthly patch cycle was to allow administrators to plan for patching in an organized, informed manner. Just recently, Microsoft began giving advance notice—three business days in advance of patch day—of the number of patches involved and the products affected, in order to enhance that ability to plan.

But this particular vulnerability is serious enough that other plans may get shelved. "Administrators will be looking to test and deploy this patch as soon as it's feasible," Dunham said.

Also today, Microsoft is making a change to Windows Update for three previously released security updates. Microsoft discovered that customers running Windows XP SP1 have not been offered the updates that apply to their computers from the October monthly release.

Microsoft attributed this to the fact that these updates are already included in Windows XP SP2, and this is the update that Windows Update and Automatic Updates presents to these users.

Click here for a story on the risks and benefits of installing Windows XP SP2.

The company said it continues to encourage customers to install Windows XP SP2, but it is making the October updates available Wednesday to all Windows XP SP1 users to help ensure that they are protected in the meantime.

Editor's Note: This story was updated to include comments from iDefense and further details.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...