Skip to comments.
Critical Cumulative Security Update issued for Internet Explorer
SecurityNewsPortal ^
| 2/2/2004
| Microsoft
Posted on 02/02/2004 5:09:36 PM PST by justlurking
Microsoft has just released a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities:
- A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.
- A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location.
- A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window.
Click here to go directly to the Microsoft Tech Net page that will provide you with further information and the links to the various patches involved in this one...
Users can also use the built in 'Windows Update' feature found in the Tools option of their IE Browser to automatically get the update that is correct for your browser version.
TOPICS: Computers/Internet
KEYWORDS: lowqualitycrap; microsoft; windows
The interesting fix is #3: exploits for it have already been encountered "in the wild". Looks like they may have also fixed the recent problem reported by Secunia, although it's not clear (to me) from the description.
To: justlurking
BTTT
2
posted on
02/02/2004 5:13:28 PM PST
by
Brad’s Gramma
(BG (Logan's Personal Mafia Hit Squad))
To: justlurking
Got it this afternoon.
To: justlurking
I just installed a security update today.
Must be this one.
4
posted on
02/02/2004 5:20:22 PM PST
by
Ernest_at_the_Beach
(The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
To: Ernest_at_the_Beach
Yep. Downloaded and installed the patch.
5
posted on
02/02/2004 5:29:15 PM PST
by
goldstategop
(In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
To: justlurking
I installed this patch. It made my screen flicker funny. I then stabbed that guy who keeps putting bills in my mailbox.
I'm waiting now for that Fed Ex guy who seems to be stalking me.
To: justlurking
It also appears to fix the annoying scrolling "enhancement" Microsoft added with the November cumulative IE patch.
To: justlurking
Does it fix the problems caused by the last set of patches I installed for IE?
8
posted on
02/02/2004 6:12:18 PM PST
by
PAR35
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson