Feeds

First Win 2003 patch is really for IE

Critical fix becomes moderate problem

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The first security patch that needs to be applied to Windows 2003 Server validates, rather than tarnishes, the design by default approach taken in developing Microsoft's flagship server OS.

Microsoft took the highly unusual step of ringing around journalists this afternoon to put this positive spin on the announcement of a patch for Internet Explorer designed to fix two newly discovered security vulnerabilities. The cumulative patch also includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.

Simon Conant, a Security Program Manager at Microsoft, explained that although the vulnerabilities covered by the patch are 'critical' for versions of IE running on machines running MS clients, such as XP, the problem is only 'moderate' for Internet Explorer on Windows Server 2003.

The lesser risk for Win Server 2003 arises because, by default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks attacks based on the vulnerabilities which on other systems might allow an attacker to execute code on a user's system.

Despite this mitigating factor, Conant still encourages Windows Server 2003 users to apply Microsoft's patch because the "underlying issue is still there".

Although this is an IE problem, it still gives risk to apply the first patches to Windows Server 2003 but Conant said the lesser impact of the vulnerabilities on that platform demonstrate that Microsoft's more security-conscious approach is paying off.

Be that as is may, let's not forget that the flaws addressed by the patch are potentially devastating for the vast majority of Microsoft's installed base (who are running XP, Win 2000, 98, Me and NT).

A security advisory for Microsoft explains the underlying cause of the problems.

First up, there's a buffer overrun vulnerability that occurs because IE "does not properly determine an object type returned from a web server". In common with such buffer overflow exploits this creates a mechanism for attackers to inject hostile code onto vulnerable boxes by either tempting users to visit maliciously constructed Web sites or sending an HTML email that attempted to exploit the vulnerability.

There's also a flaw that results because IE does not implement an appropriate block on a file download dialog box. Again this vulnerability creates a possible means for an attacker to run arbitrary code on a user's system.

Credit for discovering the evil duo goes to eEye security.

More details on the issue, and links to patches, can be found in Microsoft's advisory. Microsoft strongly recommends that you apply its "critical" (except for Win Server 2003) security patches. ®

Related Stories

Wakey, Wakey it's Patching Day. Again
MS relieves patching 'pain point'
IT managers trust Microsoft on security...
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.