Microsoft patches Internet Explorer flaws
The security update was released outside the company's monthly patch cycle
IDG News Service - Microsoft Corp. yesterday released a security patch to fix three known vulnerabilities in its Internet Explorer Web browser that have been exploited to attack Internet users.
The patch also includes a change in the basic authentication functionality in Internet Explorer that Microsoft announced last week. After installing the patch, the browser no longer supports handling usernames and passwords embedded in Web addresses using the "@" symbol, Microsoft said in a statement.
The security update was released outside of Microsoft's regular monthly patch cycle because of the seriousness of the problem, said Mike Reavey, a security program manager at Microsoft. The company's official patch day this month is Feb. 10.
One of the three newly patched flaws is rated "critical" by Microsoft, while two are "important." By taking advantage of two of the security flaws, attackers can run or save arbitrary code on a user's computer. The third flaw allows an attacker to spoof a Web site address and potentially trick users into providing personal information, Microsoft said.
The spoofing issue received wide publicity late last year, and Microsoft has been criticized for not delivering a fix sooner. The company said yesterday that it's providing the security update as soon as possible after completing development and testing.
In Microsoft's rating system for security issues, vulnerabilities that could allow a malicious Internet worm to spread without any action required on the part of the user are rated critical. Issues that won't lead to the spread of a worm without any action taken by the user but that could still expose user data or threaten system resources are rated important.
The problems affect all currently supported versions of Internet Explorer on currently supported operating systems. Users are urged to install the patch immediately, Microsoft said in Security Bulletin MS04-004.
The Internet Explorer 6 Service Pack 1 version of the patch also works on Windows 98, Windows 98 Second Edition and Windows Millennium Edition, which normally would get patches only by request because the products are in what Microsoft calls the extended support phase of their life cycle, Reavey said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts