Security News > 2004 > December > Microsoft releases patch to plug IE vulnerability
http://www.computerworld.com/securitytopics/security/story/0,10801,97957,00.html By Jaikumar Vijayan DECEMBER 01, 2004 COMPUTERWORLD As expected, Microsoft Corp. today released an out-of-cycle security bulletin and patch designed to fix a critical hole in the Internet Explorer Web browser that is already being widely exploited by attackers. The company also announced a change to Windows Update for three previously issued fixes from October for some users of Windows XP Service Pack 1. The vulnerability addressed by Microsoft's latest bulletin, MS04-040, was first disclosed on Oct. 24 and exists in the iFrame tags of Internet Explorer. The buffer overflow flaw allows attackers to take complete control of a compromised system and can be exploited by getting users to visit Web sites where malicious code can be downloaded. A proof-of-concept exploit named Bofra that takes advantage of the iFrame flaw has been available for several days and was used in launching attacks via banner ads last week that redirected users to rogue Web sites. "We are aware of some proof-of-concept code and public attacks" that take advantage of the flaw, said Stephen Toulouse, security program manager at Microsoft's security response center. That's why Microsoft is urging users to apply the latest patch as soon as possible, he added. The flaw doesn't affect users who have already installed XP SP2, he said. Meanwhile, Microsoft today reissued three of its fixes from October for users of SP1 who may not have been offered the updates earlier. The problem involves SP1 users who may have downloaded the SP2 patch but have not installed it on their computers yet. Microsoft's Windows Update and Automatic Updates service wouldnt have offered the October fixes automatically to such users, Toulouse said. Today's updates fixes the problem for those users. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
News URL
http://www.computerworld.com/securitytopics/security/story/0,10801,97957,00.html
Related news
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)