On last.fm: Who's your favorite band?
BNET Business Network:
BNET
TechRepublic
ZDNet
52 TalkBacks

By Robert Lemos
Posted on ZDNet News: Dec 1, 2004 9:24:00 PM

Microsoft published a patch for Internet Explorer on Wednesday, aiming to close a month-old hole that has been used by viruses to spread and by an ad banner attack to compromise PCs.

The vulnerability, dubbed the Internet Explorer Elements flaw by Microsoft, had previously been called the iFrame vulnerability. The issue--which does not affect Microsoft's major Windows XP security update, Service Pack 2--could allow an attacker to take control of a victim's PC, if the user is logged on as an administrator. Most home users tend to log onto Windows as administrators.

A Microsoft representative said the software giant had released the update before its next scheduled patch day, Dec. 7, because it had already been used by malicious software to compromise Windows users' PCs.

"That's one of the things that we factor in--when the customers are affected or there are active attacks," said Stephen Toulouse, security program manager at Microsoft's security response center.

News analysis
Common enemies
Reliance on a single software
raises level of risk.

An attacker can use the vulnerability to gain control of a person's computer when the victim clicks on a simple Web link. The attacker would then have complete control of the system, and could install programs, view, modify or delete data and create new accounts.

The patch arrived more than a month after news of the vulnerability was first posted on public security mailing lists. The move garnered criticism from Microsoft, which has led a drive to convince security researchers to give software makers at least 30 days to fix issues before outing the problem in public forums.

The IE flaw underscores that online criminals are all too willing to use the latest vulnerabilities to take illicit control of users' PCs.

Two computer viruses appeared on the Internet in early November, using the vulnerability in Microsoft's browser to infect PCs after their users clicked on a simple Web link. The viruses, called Bofra.A and Bofra.B by antivirus companies, were loosely based on the source code of MyDoom.

In addition, online intruders breached the security of at least one server at advertising host Falk last week and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.

The IE Elements flaw affects PCs with IE version 6 installed, but does not affect computers that have been upgraded to Service Pack 2. The software, the latest version of Windows XP, has been downloaded more than 130 million times, Microsoft's Toulouse said.

The latest update for IE 6 can be downloaded from Microsoft's security site or through Windows Update.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 52 Talkback(s)
Doesn't affect me either.
Mac OS X is awesome. (Read the rest)
Posted by: Immanuel Tranz-Mischen Posted on: 12/04/04 You are currently: a Guest | | Terms of Use
Ummm nice start but what have MS done for you lately  Squawkbox | 12/01/04
You Want That Number In Full Or Should I Use Exponential Notation?  itanalyst | 12/01/04
Give me the Readers Digest Condensed Version  Squawkbox | 12/01/04
Start small  Spoon Jabber | 12/02/04
Adam Smith said it best.  Immanuel Tranz-Mischen | 12/04/04
Microsoft releases Internet Explorer fix  Loverock Davidson | 12/01/04
Flaws? Sorry LD but it is only 1 of many  Squawkbox | 12/01/04
Yes, but one month to fix something like this, that is ridiculous.  DonnieBoy | 12/01/04
Not a problem  mojoman_x@... | 12/01/04
Again, I must protest the monthly patch cycle..  d_jedi | 12/01/04
So much for paying for Software Assurance  Squawkbox | 12/01/04
Have you been keeping track?  Immanuel Tranz-Mischen | 12/01/04
Yes, AV companies  Spoon Jabber | 12/02/04
So much concern: it is heart-breaking....  michael-t | 12/01/04
read the licence agreement.. buy my soft and drop dead  M_c | 12/01/04
Imagine any other company ,  dave95 | 12/01/04
Agree not to hold the lease company liable  GregSalts | 12/02/04
Car Rentals are not the manufacturer  zen_dogen | 12/02/04
They are still responsible...  mds_z | 12/03/04
so we rent our OS now  JasonL31 | 12/02/04
It's always been that way  rapson | 12/02/04
Warranty for new car still the same  GregSalts | 12/02/04
Ummm  rapson | 12/02/04
Good Point  zen_dogen | 12/02/04
EULAs should be challenged.  Immanuel Tranz-Mischen | 12/04/04
No sympathy for MSFT sheepies  Chad_z | 12/01/04
Calling Mr No Axe. Calling Mr No Axe. Proceed immediately to ZDnet ...  whisperycat | 12/01/04
9.0  itanalyst | 12/02/04
ROTFLMAO! Pretty much sums him up!  Xunil_Sierutuf | 12/02/04
True  Chad_z | 12/02/04
Yawn, doesn't affect me at all  NonZealot | 12/01/04
Yawn...who cares?  AmusedAtItAll | 12/02/04
Doesn't affect me either.  Immanuel Tranz-Mischen | 12/04/04
Switched to Firefox last month... Glad I did. . . (nt)  Plain Logic | 12/01/04
Never used a MS OS  middle of nowhere | 12/01/04
"Rushed out"  Expatriate US Geek | 12/02/04
At the Zdnet reporting agency, yes  FilledOut | 12/02/04
As much as I dislike M$ . . .  Roger Ramjet | 12/02/04
Gift Horse  zen_dogen | 12/02/04
But the problem is this.....  shawkins | 12/02/04
No_Ax = No_Show  itanalyst | 12/02/04
Wow, only a month to fix a critical flaw!  Xunil_Sierutuf | 12/02/04
itanalyst = no facts / no glory  GregSalts | 12/02/04
What Does TIVO Have To Do With Microsoft's Slowness In Patching?  itanalyst | 12/02/04
Security, if Linux is so secure why are there so many TIVO Hacks?  GregSalts | 12/02/04
What the mess ??  nomorems | 12/02/04
I had to reboot all my servers again  JasonL31 | 12/02/04
I agree  rapson | 12/02/04
Don't Have To Reboot For Majority Of Patches In Linux/Unix  itanalyst | 12/02/04
If that's the only problem you're having with your servers...  Immanuel Tranz-Mischen | 12/03/04
Boy...they REALLY fixed it this time...  IT_Guy_z | 12/02/04
Worked OK for me (NT)  rapson | 12/02/04

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

Meet Doc