IDG News Service - Two serious security flaws that could allow an attacker to take over a user's system exist in all current versions of Microsoft's Corp.'s Internet Explorer Web browser, including the one that ships with Windows Server 2003, Microsoft said today.
Affected are Internet Explorer Versions 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003, Microsoft said in Security Bulletin MS03-020. The bulletin includes a software patch for all browser versions that the software vendor is urging users to install immediately.
With the announcement, Microsoft released its first security patch for Windows Server 2003, two months after the launch of the server product, touted as one of its most secure products ever. The company was quick to stress that it had not failed to deliver on its security promise, but that in fact the flaws demonstrate that its "secure by design, secure by default, and secure by deployment" approach is paying off.
"Windows Server 2003 in its default configuration is not vulnerable to this attack. Because of that, the severity rating on the predecessor platforms is 'critical,' but the severity rating on Windows Server 2003 is 'moderate,'" said Jeff Jones, senior director of Trustworthy Computing at Microsoft.
Internet Explorer on Windows Server 2003 is locked down, since users are not expected to use a server computer for general Web browsing. The software has a "reduced attack surface area," Jones said. However, because the underlying vulnerability still exists, Microsoft does want people to apply the patch.
Although Jones said he sees this as "a proof point for Trustworthy Computing," Forrester Research Inc. senior analyst Laura Koetzle warned that it's too early to draw any conclusions about the level of security in Windows Server 2003. "It is good that in the default configuration Windows Server 2003 is not vulnerable to this. However, I don't think we should jump the gun saying that Windows Server 2003 is clearly more secure than previous versions of Windows. All signs point to yes, but it is a bit premature to make that decision," Koetzle said.
The first vulnerability exists because Internet Explorer can automatically start downloading and running software if it is flooded by requests for software downloads, allowing an attacker to run arbitrary code on a user's computer, Microsoft said.
The second vulnerability exists because of a buffer overrun flaw in the way Internet Explorer reads "object tags" in Web pages. Object tags are used to embed objects such as Office documents or media files in a Web page. Buffer overrun flaws typically allow an attacker to gain control of a victim's computer.
Microsoft has a four-tier system for rating security issues. Vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are rated "critical." Issues that are rated "important" could still expose user data or threaten system resources. Vulnerabilities rated "moderate" are hard to exploit because of factors such as default configuration or auditing, or difficulty of exploitation. A "low" vulnerability is one for which exploitation is extremely difficult, or whose impact is minimal.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
