News Stay informed about the latest enterprise technology news and product updates.

Microsoft releases five fixes for IE, Windows

The software giant's monthly update fixes several IE flaws, including the createTextRange issue, and addresses vulnerabilities in a range of Windows programs.

Microsoft gave IT administrators plenty of work to do Tuesday, releasing a mega-fix that patches security holes in Internet Explorer (IE), Outlook Express and a variety of other programs within Windows. Attackers can use most of the flaws to take complete control of affected machines, the software giant warned.

Of the five security updates, three are rated critical, one important and one moderate.

More on Microsoft's updates

Read Inside MSRC, our special column featuring Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC). He offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most of the software giant's security updates. Check it out and let us know what you think.
Cumulative IE fix
The first update is a critical cumulative fix for IE. Among other things, it addresses the much-publicized createTextRange flaw, which has been reportedly targeted by more than 200 malicious Web sites.

Heightened anxiety regarding the flaw prompted Aliso Viejo, Calif.-based eEye Digital Security Inc. and Redwood City, Calif.-based vulnerability protection firm Determina Inc. to release their own fixes.

The cumulative update patches 10 IE security holes in all. Microsoft said an attacker could exploit these flaws to take complete control of an affected system and install programs; view, change or delete data; or create new accounts with full user rights.

Specifically, the update addresses problems in how the browser:

  • Displays Web pages that contain certain unexpected method calls to HTML objects (this is the createTextRange flaw);
  • Handles multiple event handlers in an HTML element;
  • Initiates an HTML application (HTA), where security controls within IE are bypassed;
  • Handles specially crafted and not valid HTML;
  • Instantiates COM objects that are not intended to be instantiated in IE;
  • Handles HTML elements that contain a specially crafted tag;
  • Handles double-byte characters in specially crafted URLs;
  • Returns IOleClientSite information when an embedded object is dynamically created;
  • Handles navigation methods; and
  • Could enable attackers to display spoofed content in a browser window.
  • ActiveX changes and compatibility patch
    The cumulative IE fix also makes changes in how the browser handles ActiveX controls. Microsoft was forced to make the adjustments as a result of the Eolas Technologies and the Regents of the University of California v. Microsoft patent case (Eolas v. Microsoft).

    Eolas and the University of California sued Microsoft for patent infringement in 1999, with Eolas claiming Microsoft infringed by baking ActiveX into IE. A jury sided with the plaintiffs in 2003 and awarded them damages of $520.6 million. The software giant appealed and won a retrial in 2005. The case was returned to the district court level, but despite the appeal Microsoft was forced to make the changes so it wouldn't be found in contempt of court.

    Although most Internet sites have already prepared for the changes, Microsoft said some enterprise customers asked for more time to ensure the changes won't have a serious impact on their networks.

    As a result, Tuesday's update includes a compatibility patch that temporarily returns IE to the previous functionality for handling ActiveX controls. Microsoft said the patch will work until an IE update is released as part of the June patching cycle, at which time the ActiveX changes will be made permanent.

    Patches for Windows, Outlook Express
    The second update is critical and fixes a remote code execution vulnerability in the RDS.Dataspace ActiveX control that is part of ActiveX Data Objects (ADO) and is distributed via Microsoft data access components (MDAC), a collection of components used to provide database connectivity on Windows platforms. An attacker who successfully exploited this vulnerability could take complete control of an affected system, Microsoft said.

    The third update is critical and fixes a remote code-execution vulnerability in Windows Explorer involving the way the program handles COM objects. "An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server," Microsoft said. "This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

    The fourth update, rated important, is a cumulative fix for Outlook Express, addressing a remote code execution vulnerability that appears in Outlook Express when a Windows Address Book (.wab) file is used. Microsoft said attackers could exploit the flaw to take complete control of the affected system.

    The fifth update, deemed moderate, is a fix for a cross-site scripting vulnerability an attacker could exploit to run client-side script on behalf of a FrontPage Server Extensions (FPSE) user. "The script could spoof content, disclose information, or take any action that the user could take on the affected Web site," Microsoft said. "An attacker who successfully exploited this vulnerability against an administrator could take complete control of a FrontPage Server Extensions 2002 server."

    Odds and ends
    Also Tuesday, Microsoft re-released a February security update for Windows Media Player. This addressed a flaw in how Media Player handles processing bitmap files. An attacker could exploit the vulnerability by constructing a malicious bitmap file (.bmp) that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message, Microsoft said.

    The update was re-released Tuesday to advise customers that revised versions of the security update are available for Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2, the software giant said.

    And as it does every month, Microsoft updated its malware removal tool. This month's update removes Win32.Locksky, Win32.Valla and Win32.Reatle.

    Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.