Feeds

First Win 2003 patch is really for IE

Critical fix becomes moderate problem

  • alert
  • submit to reddit

Build a business case: developing custom apps

The first security patch that needs to be applied to Windows 2003 Server validates, rather than tarnishes, the design by default approach taken in developing Microsoft's flagship server OS.

Microsoft took the highly unusual step of ringing around journalists this afternoon to put this positive spin on the announcement of a patch for Internet Explorer designed to fix two newly discovered security vulnerabilities. The cumulative patch also includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.

Simon Conant, a Security Program Manager at Microsoft, explained that although the vulnerabilities covered by the patch are 'critical' for versions of IE running on machines running MS clients, such as XP, the problem is only 'moderate' for Internet Explorer on Windows Server 2003.

The lesser risk for Win Server 2003 arises because, by default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks attacks based on the vulnerabilities which on other systems might allow an attacker to execute code on a user's system.

Despite this mitigating factor, Conant still encourages Windows Server 2003 users to apply Microsoft's patch because the "underlying issue is still there".

Although this is an IE problem, it still gives risk to apply the first patches to Windows Server 2003 but Conant said the lesser impact of the vulnerabilities on that platform demonstrate that Microsoft's more security-conscious approach is paying off.

Be that as is may, let's not forget that the flaws addressed by the patch are potentially devastating for the vast majority of Microsoft's installed base (who are running XP, Win 2000, 98, Me and NT).

A security advisory for Microsoft explains the underlying cause of the problems.

First up, there's a buffer overrun vulnerability that occurs because IE "does not properly determine an object type returned from a web server". In common with such buffer overflow exploits this creates a mechanism for attackers to inject hostile code onto vulnerable boxes by either tempting users to visit maliciously constructed Web sites or sending an HTML email that attempted to exploit the vulnerability.

There's also a flaw that results because IE does not implement an appropriate block on a file download dialog box. Again this vulnerability creates a possible means for an attacker to run arbitrary code on a user's system.

Credit for discovering the evil duo goes to eEye security.

More details on the issue, and links to patches, can be found in Microsoft's advisory. Microsoft strongly recommends that you apply its "critical" (except for Win Server 2003) security patches. ®

Related Stories

Wakey, Wakey it's Patching Day. Again
MS relieves patching 'pain point'
IT managers trust Microsoft on security...
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
HANA has SAP cuddling up to 'smaller partners'
Wanted: algorithm wranglers, not systems giants
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.