Microsoft rushes out critical IE fix

By Robert Lemos
Posted on ZDNet News: Dec 1, 2004 9:24:00 PM

Microsoft published a patch for Internet Explorer on Wednesday, aiming to close a month-old hole that has been used by viruses to spread and by an ad banner attack to compromise PCs.

The vulnerability, dubbed the Internet Explorer Elements flaw by Microsoft, had previously been called the iFrame vulnerability. The issue--which does not affect Microsoft's major Windows XP security update, Service Pack 2--could allow an attacker to take control of a victim's PC, if the user is logged on as an administrator. Most home users tend to log onto Windows as administrators.

A Microsoft representative said the software giant had released the update before its next scheduled patch day, Dec. 7, because it had already been used by malicious software to compromise Windows users' PCs.

"That's one of the things that we factor in--when the customers are affected or there are active attacks," said Stephen Toulouse, security program manager at Microsoft's security response center.

News analysis
Common enemies

Reliance on a single software
raises level of risk.

An attacker can use the vulnerability to gain control of a person's computer when the victim clicks on a simple Web link. The attacker would then have complete control of the system, and could install programs, view, modify or delete data and create new accounts.

The patch arrived more than a month after news of the vulnerability was first posted on public security mailing lists. The move garnered criticism from Microsoft, which has led a drive to convince security researchers to give software makers at least 30 days to fix issues before outing the problem in public forums.

The IE flaw underscores that online criminals are all too willing to use the latest vulnerabilities to take illicit control of users' PCs.

Two computer viruses appeared on the Internet in early November, using the vulnerability in Microsoft's browser to infect PCs after their users clicked on a simple Web link. The viruses, called Bofra.A and Bofra.B by antivirus companies, were loosely based on the source code of MyDoom.

In addition, online intruders breached the security of at least one server at advertising host Falk last week and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.

The IE Elements flaw affects PCs with IE version 6 installed, but does not affect computers that have been upgraded to Service Pack 2. The software, the latest version of Windows XP, has been downloaded more than 130 million times, Microsoft's Toulouse said.

The latest update for IE 6 can be downloaded from Microsoft's security site or through Windows Update.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 52 Talkback(s)

Thread View
Flat View

Doesn't affect me either.: Mac OS X is awesome. (Read the rest); Posted by: Immanuel Tranz-Mischen Posted on: 12/04/04 You are currently: Logged In | Log out

Ummm nice start but what have MS done for you lately Squawkbox | 12/01/04

You Want That Number In Full Or Should I Use Exponential Notation? itanalyst | 12/01/04

Give me the Readers Digest Condensed Version Squawkbox | 12/01/04

Start small Spoon Jabber | 12/02/04

Adam Smith said it best. Immanuel Tranz-Mischen | 12/04/04

Microsoft releases Internet Explorer fix Loverock Davidson | 12/01/04

Flaws? Sorry LD but it is only 1 of many Squawkbox | 12/01/04

Yes, but one month to fix something like this, that is ridiculous. DonnieBoy | 12/01/04

Not a problem mojoman_x@... | 12/01/04

Again, I must protest the monthly patch cycle.. d_jedi | 12/01/04

So much for paying for Software Assurance Squawkbox | 12/01/04

Have you been keeping track? Immanuel Tranz-Mischen | 12/01/04

Yes, AV companies Spoon Jabber | 12/02/04

So much concern: it is heart-breaking.... michael-t | 12/01/04

read the licence agreement.. buy my soft and drop dead M_c | 12/01/04

Imagine any other company , dave95 | 12/01/04

Agree not to hold the lease company liable GregSalts | 12/02/04

Car Rentals are not the manufacturer zen_dogen | 12/02/04

They are still responsible... mds_z | 12/03/04

so we rent our OS now JasonL31 | 12/02/04

It's always been that way rapson | 12/02/04

Warranty for new car still the same GregSalts | 12/02/04

Ummm rapson | 12/02/04

Good Point zen_dogen | 12/02/04

EULAs should be challenged. Immanuel Tranz-Mischen | 12/04/04

No sympathy for MSFT sheepies Chad_z | 12/01/04

Calling Mr No Axe. Calling Mr No Axe. Proceed immediately to ZDnet ... whisperycat | 12/01/04

9.0 itanalyst | 12/02/04

ROTFLMAO! Pretty much sums him up! Xunil_Sierutuf | 12/02/04

True Chad_z | 12/02/04

Yawn, doesn't affect me at all NonZealot | 12/01/04

Yawn...who cares? AmusedAtItAll | 12/02/04

Doesn't affect me either. Immanuel Tranz-Mischen | 12/04/04

Switched to Firefox last month... Glad I did. . . (nt) Bit's_Conscience | 12/01/04

Never used a MS OS middle of nowhere | 12/01/04

"Rushed out" Expatriate US Geek | 12/02/04

At the Zdnet reporting agency, yes FilledOut | 12/02/04

As much as I dislike M$ . . . Roger Ramjet | 12/02/04

Gift Horse zen_dogen | 12/02/04

But the problem is this..... shawkins | 12/02/04

No_Ax = No_Show itanalyst | 12/02/04

Wow, only a month to fix a critical flaw! Xunil_Sierutuf | 12/02/04

itanalyst = no facts / no glory GregSalts | 12/02/04

What Does TIVO Have To Do With Microsoft's Slowness In Patching? itanalyst | 12/02/04

Security, if Linux is so secure why are there so many TIVO Hacks? GregSalts | 12/02/04

What the mess ?? nomorems | 12/02/04

I had to reboot all my servers again JasonL31 | 12/02/04

I agree rapson | 12/02/04

Don't Have To Reboot For Majority Of Patches In Linux/Unix itanalyst | 12/02/04

If that's the only problem you're having with your servers... Immanuel Tranz-Mischen | 12/03/04

Boy...they REALLY fixed it this time... IT_Guy_z | 12/02/04

Worked OK for me (NT) rapson | 12/02/04

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry