Microsoft Patches Critical Browser Flaw
Microsoft Corp. today issued two software updates to fix security holes in computers running its Windows operating systems, including a "critical" patch for a flaw in its Internet Explorer Web browser.
Three weeks ago, a researcher in the United Kingdom posted instructions online showing would-be attackers how to exploit a previously unknown flaw in IE to install software on vulnerable machines when users visit Web sites programmed to take advantage of the flaw. Microsoft and many in the security research community chastised the researcher for recklessly endangering the security of tens of millions of IE users, still the most widely-used Web browser worldwide. Microsoft said it knew of Web sites that were using the flaw to attack IE users, and that it hoped to issue an update soon to protect customers.
The IE patch is actually a "cumulative update," or bundle of patches that fixes at least four serious security problems with IE. My hat's off to Microsoft for fixing this problem quickly. The vulnerability is present in every version of IE and on nearly every version of Windows dating back to Windows 98. You can download the updates manually from Microsoft Update or -- for Windows 2000 and newer systems -- turn on automatic updates and let Microsoft handle the process for you.
This update does not, however, address another serious design flaw with the browser that an Israeli researcher found. That flaw could allow a Web site operator to see files on a visitor's computer -- files that store data about the user's relationship with other Web sites, such as passwords and usernames.
The second patch issued today mends a problem in the foundation of the Windows 2000 operating system that programs or viruses could potentially exploit to cause trouble with systems that are otherwise properly locked down and secure. Microsoft rated this flaw as "important" -- it's second most severe category -- mainly because a number of variable configurations would have to be present just-so in Windows 2000 systems for attackers to exploit the flaw. But if you are using any Windows machine, make sure to update: Microsoft acknowledges that a threat that takes advantage of this flaw could also be used to install software on your machine.
Finally, it's worth a follow-up mention that -- as promised -- the IE patch bundle also removes a component left behind by a patch designed to remove some of the more dangerous features of anti-piracy software installed by Sony BMG music CDs. Shortly after several viruses surfaced that took advantage of Sony's software to hide on infected PCs, Sony issued a patch to remove the program's file-hiding abilities. Researchers later found that patch actually modified IE to allow any Web site to install software on the visitor's computer. This latest IE patch eliminates that change.
The comments to this entry are closed.