Article

Out-of-cycle fix for IE IFRAME flaw

Bill Brenner

Microsoft veered outside its monthly patching cycle Wednesday to fix a "critical" IFRAME vulnerability in Internet Explorer that has already been the focus of several malicious exploits.

"This bulletin addresses a publicly disclosed security vulnerability in IE known as 'IFRAME' that could allow a malicious attacker to run malicious software on the user's computer," a spokeswoman for the software giant said by e-mail. "Microsoft recommends that customers install the update immediately."

    Requires Free Membership to View

The bulletin offers a cumulative fix for IE, replacing an update for the browser that was part of the October patch rollout.

Of the IFRAME vulnerability, the security bulletin said if a user is logged on with administrative privileges, "an attacker who successfully exploited this vulnerability could take complete control of an affected system" to install programs, view, change or delete data or create new accounts with full privileges. "Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges," the bulletin said.

The vulnerability was discovered Oct. 24, affecting all Windows platforms except those running XP SP2. It is caused by a boundary error in the handling of certain attributes in the IFRAME HTML tag and can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in the "src" and "name" attributes of the IFRAME tag.

The security hole has been targeted by variants of the Mydoom and Bofra worms in the last month. Attackers have also used vectors hidden in Web site ad banners to exploit the vulnerability.

The Microsoft spokeswoman also announced Wednesday that Microsoft is changing the Windows Update for three previously released security bulletins.

"Microsoft discovered that customers running Windows XP SP1 have not been offered the updates that apply to their computer from the October monthly release," she said. "This is due to the fact that these updates are already included in Windows XP SP2 and this is the update that Windows Update and Automatic Update presents to these users. Microsoft continues to encourage customers to install Windows XP Service Pack 2, but we are making the October updates available today to all Windows XP SP1 users to help ensure they are protected in the meantime."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: