Microsoft patches three critical browser flaws

By Ina Fried
Posted on ZDNet News: Jul 30, 2004 7:18:00 PM

Microsoft on Friday released a patch for Internet Explorer designed to close three critical holes in the browser, including one that paved the way for the Download.Ject Trojan horse.

The software maker offered a work-around earlier this month and had promised in recent days that a comprehensive fix would be coming soon. Microsoft has also worked with law enforcement to shut down the Russian server that had been the source of malicious code.

The new patch, which is available from Microsoft's security Web site, closes the hole, and Microsoft encouraged all IE users to update their browsers. Technically, the flaw is what's known as a cross-domain vulnerability, through which an attacker is able to cross a security boundary within the browser to deliver and execute malicious code.

Microsoft security program manager Stephen Toulouse said that the company was already working on an Internet Explorer update when it became aware in late June that the vulnerability was being exploited. "Once we became aware of the specific attack on our customers, that's when we began to mobilize," Toulouse said, pointing to the company's work with law enforcement and Internet service providers.

The patch also addresses two other publicly known flaws in IE, both related to image processing and both rated as critical because they could allow malicious code to be run on a vulnerable system.

Toulouse said the company does not know of any attacks related to these two flaws, but he added, "We want to make sure that customers have this update so they are protected."

Security company Symantec encouraged Web surfers to apply the patch.

"With the widespread use of Microsoft Internet Explorer in both the enterprise and consumer environments, it is critical that security patches be applied immediately," Alfred Huger, senior director of Symantec Security Response, said in a statement.

Some have said that IE vulnerabilities have become so common that Web surfers should consider other browsers.

Toulouse noted that the company has improved IE in the forthcoming Windows XP Service Pack 2, adding that those running that version of the operating system were not vulnerable to the attack because of changes the company made to the internal structure of the browser.

SponsoredWhite Papers, Webcasts, and Downloads

The Three Ps of Evaluating Managed Network Services Qwest Communications To reduce costs and keep IT resources focused on the core business, more ... Download Now
Business Analytics and Optimization for the Intelligent Enterprise IBM Corp. IBM Global Business Services, through the IBM Institute for Business ... Download Now
Total Economic Impact of SQL Server 2008 Upgrade Microsoft See how upgrading to Microsoft SQL Server 2008 can provide your company with an anticipated ROI of between 160 and 180 percent. Download Now

Talkback
Most Recent of 62 Talkback(s)

Thread View
Flat View

summary: I think the short version of it really is that they had to find the Indi programmer who put those backdoors in and offer him enough money to tell them what he did and fix it (while putting in more backdoors).... (Read the rest); Posted by: Outside T. Box Posted on: 08/01/04 You are currently: a Guest | Log in | Terms of Use