Microsoft patches three critical browser flaws

Microsoft on Friday released a patch for Internet Explorer designed to close three critical holes in the browser, including one that paved the way for the Download.Ject Trojan horse.

The software maker offered a work-around earlier this month and had promised in recent days that a comprehensive fix would be coming soon. Microsoft has also worked with law enforcement to shut down the Russian server that had been the source of malicious code.

The new patch, which is available from Microsoft's security Web site, closes the hole, and Microsoft encouraged all IE users to update their browsers. Technically, the flaw is what's known as a cross-domain vulnerability, through which an attacker is able to cross a security boundary within the browser to deliver and execute malicious code.

Microsoft security program manager Stephen Toulouse said that the company was already working on an Internet Explorer update when it became aware in late June that the vulnerability was being exploited. "Once we became aware of the specific attack on our customers, that's when we began to mobilize," Toulouse said, pointing to the company's work with law enforcement and Internet service providers.

The patch also addresses two other publicly known flaws in IE, both related to image processing and both rated as critical because they could allow malicious code to be run on a vulnerable system.

Toulouse said the company does not know of any attacks related to these two flaws, but he added, "We want to make sure that customers have this update so they are protected."

Security company Symantec encouraged Web surfers to apply the patch.

"With the widespread use of Microsoft Internet Explorer in both the enterprise and consumer environments, it is critical that security patches be applied immediately," Alfred Huger, senior director of Symantec Security Response, said in a statement.

Some have said that IE vulnerabilities have become so common that Web surfers should consider other browsers.

Toulouse noted that the company has improved IE in the forthcoming Windows XP Service Pack 2, adding that those running that version of the operating system were not vulnerable to the attack because of changes the company made to the internal structure of the browser.

[wrwjpn]

What??

What do they mean by this?:

"The new patch, which is available from Microsoft's security Web
site, closes the hole, and Microsoft encouraged all IE users to
update their browsers"

If you have any of the Windows OSes then you have IE. Don't
they realize that??

What kind of idiots are working at MS?

[djugan]

Not necessarily so.....

By now, many astute IT workers and savvy home users have used one of the many tools available to "dis-integrate" Internet Explorer (all flavors), and have switched to more secure, more compliant, and more advanced browsers.

Replace Outlook and MS Virtual Machine, among other dubious Windows add-ons, and avoid 50%-75% of M$FT's monthly misery.

Many of us were doing this 4-5 years ago at the same time M$FT was lying to federal judges, claiming it couldn't be done.

Sorry, Chairman Bill -- just presenting the facts!

[bergrrt]

Duh,,,

I'm sick of it! All I can say is that it's all a big game, the best ever for all the spammers and hackers, etc., if they ever succeed in totally trashing the web where would they put all of that time and energy? Kind of like terrorists, no plan or ability to do anything positive and not enough common sense to think what they'd do if they destroyed the current system. They're good at little bits of crap but not enough brains amongst the lot of them to build something better.

[djugan]

See comment: Not necessarily so..... (above)

As I count down the list of security related patches issued for Windows 98 SE since it was released over five years ago, I've mitigated or eliminated 26 of 42 recommended security patches by "dis-integrating" the garbage from the OS.

Windows 98 SE, by virtue of its maturity and the ability to reduce it to "just Windows" is now, arguably, the most security hardened and stable OS for the home and small business PC user.

The world's biggest software company...

...and they just can't get rid of bugs and security holes. They just keep on doing what they've always done, and release brand new versions with brand new bugs and security holes.

Wait, maybe that's because they're a company built out of thousands of low-wage college kid hacks!?