On The Insider: Love on the Set
BNET Business Network:
BNET
TechRepublic
ZDNet
42 TalkBacks

By Robert Lemos, News.com
Posted on ZDNet News: Feb 2, 2004 8:24:00 PM

Microsoft broke its once-a-month schedule on Monday to fix a critical flaw in Internet Explorer that could allow malicious coders to take control of an unwary user's PC.

The most serious problem, known as a cross-domain security vulnerability, affects all versions of Internet Explorer running on Windows NT, 2000 and XP. A person with a vulnerable system who clicks on a link in an HTML e-mail or goes to a hostile Web site could allow an attacker to run code on their computer, Microsoft said in its advisory.

News.context

What's new:
Microsoft issues a fix to a critical flaw in Internet Explorer that could allow malicious coders to take control of an unwary user's PC.

Bottom line:
The company broke from its regular pattern of using fixes monthly because of the seriousness of a flaw: a person with a vulnerable system who clicks on a link in an HTML e-mail or goes to a hostile Web site could allow an attacker to run code on their computer.

For more info:
Track the players

The seriousness of the issue forced the company to release the latest fixes before its normally scheduled date, the second Tuesday of the month.

"We evaluated the public nature of the vulnerabilities and heard from customers that this was impacting them, and we made the decision to publish," said Stephen Toulouse, security program manager with Microsoft's Security Response Center.

The update also fixes two other security flaws, including one that gained a lot of attention for its ability to make fake Web sites look real. Known as the phishing flaw, the problem allows scam artists to forge the address in the Internet Explorer browser's address bar to display an address different from the actual site to which the user was being sent.

Scammers typically use the flaw to build a site that looks like an official Web site and then send bulk e-mail messages that draw unsuspecting victims to the site. In January, the scam directed users to a site that looked like the official Federal Deposit Insurance Corp. Web site, asking for personal information to verify their identity. Instead, the fake Web site, based in Pakistan, collected the information in an attempt to steal from victims.

A third flaw allows a malicious Web site or HTML e-mail to download a file to a user's computer, without asking permission, when the user clicks on a specially crafted link.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Microsoft advised Windows users to update their software quickly.

Breaking from Microsoft's monthly patch schedule will not happen often, said Toulouse.

"We do believe very much in sticking to the once-a-month thing--our customers like the predictability," he said. "But we have always said that if we have to go out of the cycle to protect our customers we would do that."

  • Talkback
  • Most Recent of 42 Talkback(s)
Get and use a Mac. Wouldn't have these problems.
PC users just let Microsoft walk all over them, and take it sitting down. Like lambs. Don't squawk. Don't squeal. Just let Microsoft keep taking your money and keep allowing the promelgation of all so... (Read the rest)
Posted by: peaceguy Posted on: 02/11/04 You are currently: Logged In | Log out
Great turn-around time! Xunil_Sierutuf   | 02/02/04
What about me?!? Now I'm Stuck ... coffeenite   | 02/03/04
Nooooo Bobby Sskcat   | 02/02/04
ms could takes some lessons form MOZILLA JWatson77   | 02/02/04
because... DarbyOhara   | 02/03/04
Why should you care! DarbyOhara   | 02/03/04
"our customers like the predictability" MarcB_z   | 02/02/04
I was thinking the exact same thing Chad_z   | 02/02/04
Re: "our customers like the predictability" issthatso   | 02/02/04
I thought Thursday was patch day? EOM Chad_z   | 02/02/04
Love the predictibility of a hack a month ITGuy04   | 02/02/04
Oh great tic swayback   | 02/02/04
Re: Oh great issthatso   | 02/02/04
Exactly. bhanes@...   | 02/02/04
Release patches ASAP! d_jedi   | 02/02/04
great "fix" ryusen   | 02/02/04
I thought I was the only one... TrollSlayer   | 02/03/04
Think about this..... heatlesssun   | 02/02/04
That's a mighty big assumption..... Jose Jimenez   | 02/02/04
Wouldn't necessarily need to be root heatlesssun   | 02/02/04
As I also stated, but not a likely scenario. (NT) Jose Jimenez   | 02/02/04
Why wouldn' that be a likely scenario heatlesssun   | 02/02/04
Start with the link that I posted.... Jose Jimenez   | 02/02/04
Home Users ShadeTree   | 02/03/04
At least in OSX j.m.galvin   | 02/02/04
You can do pretty much the same thing in Windows... heatlesssun   | 02/02/04
think about this..... middle of nowhere   | 02/02/04
What ?!?!? coffeenite   | 02/03/04
So now we're supposed to praise M$ 'cuase they patch more than once a month toomuchgreeatea@...   | 02/02/04
Alright! Got myself updated! :) (NT) GraysonPeddie   | 02/02/04
upgrade those servers JWatson77   | 02/02/04
Education!!! wallyweb@...   | 02/03/04
Is there an end to this? tero_t_vaananen@...   | 02/03/04
MS PR move couldn't work MacCanuck   | 02/03/04
Affected Versions cobraon   | 02/03/04
Forgot to mention cobraon   | 02/03/04
What were you thinking? ShadeTree   | 02/03/04
I wanted to apply the patch ... coffeenite   | 02/03/04
Patch Installed Automatically...what's the big deal? marksashton   | 02/03/04
my issues with this patch ryusen   | 02/03/04
Unless the patch itself... Yen_z   | 02/03/04
Get and use a Mac. Wouldn't have these problems. peaceguy   | 02/11/04

What do you think?

advertisement
advertisement
advertisement
Click Here