News Stay informed about the latest enterprise technology news and product updates.

Out-of-cycle fix for IE IFRAME flaw

Microsoft surprisingly issued a fix Wednesday for the IFRAME vulnerability in Internet Explorer, which has already been attacked.

Microsoft veered outside its monthly patching cycle Wednesday to fix a "critical" IFRAME vulnerability in Internet Explorer that has already been the focus of several malicious exploits.

"This bulletin addresses a publicly disclosed security vulnerability in IE known as 'IFRAME' that could allow a malicious attacker to run malicious software on the user's computer," a spokeswoman for the software giant said by e-mail. "Microsoft recommends that customers install the update immediately."

The bulletin offers a cumulative fix for IE, replacing an update for the browser that was part of the October patch rollout.

Of the IFRAME vulnerability, the security bulletin said if a user is logged on with administrative privileges, "an attacker who successfully exploited this vulnerability could take complete control of an affected system" to install programs, view, change or delete data or create new accounts with full privileges. "Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges," the bulletin said.

The vulnerability was discovered Oct. 24, affecting all Windows platforms except those running XP SP2. It is caused by a boundary error in the handling of certain attributes in the IFRAME HTML tag and can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in the "src" and "name" attributes of the IFRAME tag.

The security hole has been targeted by variants of the Mydoom and Bofra worms in the last month. Attackers have also used vectors hidden in Web site ad banners to exploit the vulnerability.

The Microsoft spokeswoman also announced Wednesday that Microsoft is changing the Windows Update for three previously released security bulletins.

"Microsoft discovered that customers running Windows XP SP1 have not been offered the updates that apply to their computer from the October monthly release," she said. "This is due to the fact that these updates are already included in Windows XP SP2 and this is the update that Windows Update and Automatic Update presents to these users. Microsoft continues to encourage customers to install Windows XP Service Pack 2, but we are making the October updates available today to all Windows XP SP1 users to help ensure they are protected in the meantime."

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.