 |
 |
|
 |
|
|||
|
|||
|
|||
|
|
Microsoft plugs six more security holes in IE
By Sumner Lemon (IDG) -- Microsoft has released a patch that addresses six security vulnerabilities in its Internet Explorer browser, including a critical flaw that could allow an attacker to run code on a client machine. The patch is intended for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Among the changes that are provided by the patch is a fix that closes a vulnerability in one of Internet Explorer's local HTML resources. One of the HTML files shipped with Internet Explorer contains a cross-site scripting vulnerability that could allow an attacker to execute a script on a user's computer, Microsoft said in a security bulletin issued Wednesday.
The patch also addresses two information disclosure vulnerabilities that could allow an attacker to read -- but not add, delete, or change -- data on a user's computer. Both the cross-site scripting vulnerability and the information disclosure vulnerabilities were rated as critical flaws by Microsoft. The patch also fixes a zone spoofing vulnerability that could allow a Web page to be viewed in Internet Explorer's Trusted Sites zone, allowing an attacker's Web page to be viewed with fewer security restrictions on a user's PC. The final vulnerabilities that the patch fixes are two content disposition vulnerabilities that could allow an attacker to fool Internet Explorer into thinking a malicious download is safe. These vulnerabilities were rated "low" to "moderate" by Microsoft. Besides the six vulnerabilities described by Microsoft, the patch also disables frames in Internet Explorer's Restricted Sites zone. As Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 read e-mail in the Restricted Sites zone by default, this change also disables frames in HTML e-mail that is read using any of these applications. The change was made to eliminate the possibility that an HTML e-mail could automatically open a new window or download an executable file, Microsoft said. The patch is available for download from Microsoft's Web site: www.microsoft.com/windows/ie/downloads/critical/q321232/default.asp. |
|
|
|||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
|
RELATED STORIES:
• Microsoft offers free tool for security checks
April 10, 2002 • Microsoft patches two security holes in NT/2000 April 8, 2002 • Microsoft offers fix for two IE security holes April 1, 2002 RELATED IDG.net STORIES:
• Security hole in MSN Chat, Messenger could run code
(IDG.net) • Security hole in Flash player could run attack code (IDG.net) • Mozilla, Netscape hole allows remote text viewing (IDG.net) • MS fixes 10 flaws with 'critical' patch for IIS (IDG.net) • Industry group wants software holes kept mum (IDG.net) • D'oh! More holes in Internet Explorer (PCWorld.com) • Holes expose retail data (Computerworld) • Bug-reporting standard proposal pulled from IETF (Computerworld) RELATED SITES:
• Microsoft Corp.
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
TECHNOLOGY TOP STORIES:
• Report: SUVs pose danger to cars • New telemarketer tool trumps TeleZapper • Terra Lycos logs $2.2B loss • AOL to offer song downloads • Microsoft seeks fiscal fountain of youth (More) |
|||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||
| Back to the top | |
© 2003 Cable News Network LP, LLLP.
A Time Warner Company. All Rights Reserved. Terms under which this service is provided to you. Read our privacy guidelines. Contact us. |
