Results 1 to 4 of 4

Thread: Microsoft Patches Critical IE Flaws

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    309

    Microsoft Patches Critical IE Flaws

    Microsoft Patches Critical IE Flaws

    http://www.eweek.com/article2/0,3959,1117645,00.asp


    Microsoft Corp. on Wednesday released patches for two critical flaws in Internet Explorer that enable an attacker to run code on a vulnerable PC.
    These two vulnerabilities are also the first to potentially affect the recently released Windows Server 2003 operating system. However, the new version of Windows blocks both of these attacks in its default configuration, according to Microsoft security executives.

    The first vulnerability is a buffer overrun that results from IE's failure to properly determine an object type returned from a Web server. An attacker would be able to exploit this problem simply by having a user with a vulnerable machine visit a malicious Web site set up for this purpose. The user would not have to take any other actions once on the site.


    The second vulnerability is a result of IE not implementing a block on a file download dialog box. Both vulnerabilities would allow the attacker to run code on the user's machine.

    The problems affect IE 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003. Microsoft executives say that the new security safeguards in Windows Server 2003 were designed specifically to prevent these kinds of attacks by default. Of course, customers often change the default configuration after installation.

    "In the lock-down configuration, these vulnerabilities just don't fire," said Steve Lipner, director of security engineering strategy at Microsoft, based in Redmond, Wash. "We did it to achieve this benefit. That's a really significant thing."

    Most installations of the new OS won't have a Web browser running very often anyway, Lipner said, unless it is to download security fixes or other updates. "You don't typically use this server for normal Web browsing," he said.

    Microsoft officials have said that the first real test of its Trustworthy Computing initiative will be the security of its newest Windows release. They believe that if Windows Server 2003 shows real progress on security relative to older versions of Windows it will be a key validation for their effort.

    And it won't be long before the first empirical evidence of that security is available. Lipner said Microsoft plans to release a comparison of the number of vulnerabilities found in Windows Server 2003 and older versions of the OS later this summer.

    While the new patch is rated critical for all other versions of Windows, it is only a moderate risk for 2003 installations. The patch is available here.

    http://www.microsoft.com/technet/tre...n/MS03-020.asp

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Not an image or image does not exist!
    Not an image or image does not exist!

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    309

    Smile Dr Evil

    Hey Folks,

    I tried to delete this thread about 5 times but it refuses to go away.There must be something wrong with AO.

    Dr _Evil

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    3,839
    try contacting one of the Admins and ask them to remove it for you

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •