October 09, 2003

Another Critical IE Cumulative Patch Released

Microsoft has recently released yet another cumulative patch for Internet Explorer 5.01 and later. This one is classified as critical, and Microsoft Security Bulletin MS03-040 describes it in more detail. To save you some time, here's the actual download link.

To sum up the Microsoftese: With the latest vulnerability, an attacker could run programs on your computer when you are viewing a Web page. An attacker could also craft an HTML–based e-mail, so you could be attacked by spam with teeth.

When visiting an attacker's Web site, it could be possible for the web site to exploit this vulnerability without any other action by you, and particularly if ActiveX is fully enabled in IE. Please see my post yesterday -- this is precisely the reason why I recommended setting IE's ActiveX controls to "prompt" nearly two years ago. While the prompts are annoying, it shifts the control back to you as to what is or isn't installed via the web browser. The most prudent course of action is to install the latest IE patch and change its ActiveX settings to "prompt" if you haven't already.

Per Microsoft, this vulnerability affects all computers that have Internet Explorer installed. You do not have to be using Internet Explorer as your web browser to be affected by this issue.

Several related caveats:

  • A prior IE cumulative patch disabled some of IE's HTML Help functions. Since the current patch includes all prior patches, this one will also disable the same functions. You can address this by downloading the necessary HTML Help patch via the MS Knowledge Base Article 811630.
  • In addition, an attacker could use Windows Media Player's (WMP) ability to open URLs to construct an attack as described above. Therefore, MS recommends patching the Windows Media Player as well. This patch is available via the MS Knowledge Base Article 828026.
It's good to see MS releasing these patches, but its monopoly position paints a rather large bullseye on its tail for hackers. Given the sheer volume of security holes in MS products, it was only a matter of time until it had to face a class action suit in California as a result.

Topic(s):   Privacy & Security
Posted by Jeff Beard