Microsoft on Monday broke from its patch-release schedule and released an update to plug three vulnerabilities in Internet Explorer.
The company considers the cumulative patch "critical," which is why the fix was released outside of its monthly update cycle. Since October,
Some expected a fix for the vulnerabilities last month when Microsoft released its patches. The best known of the three flaws, a URL-spoofing flaw, allows attackers to create bogus Web sites and phish for sensitive user data. The most serious flaw, a cross-domain vulnerability, could allow attackers to run code on affected systems.
Specifically, the spoofing vulnerability involves incorrect parsing of URLs that contain special characters. Exploiting the flaw, combined with misusing a feature in basic authentication, leads Internet Explorer to render a URL in the address window that is different from that of the page being viewed. The syntax of this attack involves using "username:password@" at the beginning of the URL.
Microsoft provides the following example. An attacker could create a link that would display as "http://www.tailspintoys.com" in the address bar -- but which actually contains content pulled from www.wingtiptoys.com.
"I am sure that there has been a lot of pressure to get the address-spoofing vulnerability fixed, as it has been covered extensively in the media lately," said Thor Larholm, senior security researcher at Newport Beach, Calif.-based PivX Solutions LLC. "And, like it or hate it, security is more often than not treated as a public relations issue within Microsoft."
Larholm is encouraged. Microsoft said recently that it will completely disable basic authentication, which allows Internet Explorer to open HTTP and HTTPS sites by using a URL containing a user name and password.
"When this functionality change is implemented, it will mean a lot of malfunctioning Web sites, and Microsoft has received some credit lately for this security-over-functionality move," Larholm said.
But the flaw with the most potential for system damage is a cross-domain vulnerability that could allow attackers to run code on affected systems. Potential victims would need to click on a link in an HTML e-mail or view a Web site maintained by the attackers. In addition to being able to run code on affected systems, attackers could also access files on victims' systems.
The third vulnerability involves a glitch in how Internet Explorer handles dynamic HTML. Essentially, the flaw means that people could download a file just by clicking on a link. Attackers would have to set up a special Web site or HTML e-mail and then entice users into clicking on the link. When clicked, the file would be automatically downloaded to a specific location on a victim's machine without prompting. The file would only be stored, not executed.
FOR MORE INFORMATION:Click here for Microsoft security bulletin MS04-04.