Feeds

First Win 2003 patch is really for IE

Critical fix becomes moderate problem

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

The first security patch that needs to be applied to Windows 2003 Server validates, rather than tarnishes, the design by default approach taken in developing Microsoft's flagship server OS.

Microsoft took the highly unusual step of ringing around journalists this afternoon to put this positive spin on the announcement of a patch for Internet Explorer designed to fix two newly discovered security vulnerabilities. The cumulative patch also includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.

Simon Conant, a Security Program Manager at Microsoft, explained that although the vulnerabilities covered by the patch are 'critical' for versions of IE running on machines running MS clients, such as XP, the problem is only 'moderate' for Internet Explorer on Windows Server 2003.

The lesser risk for Win Server 2003 arises because, by default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks attacks based on the vulnerabilities which on other systems might allow an attacker to execute code on a user's system.

Despite this mitigating factor, Conant still encourages Windows Server 2003 users to apply Microsoft's patch because the "underlying issue is still there".

Although this is an IE problem, it still gives risk to apply the first patches to Windows Server 2003 but Conant said the lesser impact of the vulnerabilities on that platform demonstrate that Microsoft's more security-conscious approach is paying off.

Be that as is may, let's not forget that the flaws addressed by the patch are potentially devastating for the vast majority of Microsoft's installed base (who are running XP, Win 2000, 98, Me and NT).

A security advisory for Microsoft explains the underlying cause of the problems.

First up, there's a buffer overrun vulnerability that occurs because IE "does not properly determine an object type returned from a web server". In common with such buffer overflow exploits this creates a mechanism for attackers to inject hostile code onto vulnerable boxes by either tempting users to visit maliciously constructed Web sites or sending an HTML email that attempted to exploit the vulnerability.

There's also a flaw that results because IE does not implement an appropriate block on a file download dialog box. Again this vulnerability creates a possible means for an attacker to run arbitrary code on a user's system.

Credit for discovering the evil duo goes to eEye security.

More details on the issue, and links to patches, can be found in Microsoft's advisory. Microsoft strongly recommends that you apply its "critical" (except for Win Server 2003) security patches. ®

Related Stories

Wakey, Wakey it's Patching Day. Again
MS relieves patching 'pain point'
IT managers trust Microsoft on security...
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.