-
June 5th, 2003, 11:26 AM
#1
Microsoft Patches Critical IE Flaws
Microsoft Patches Critical IE Flaws
http://www.eweek.com/article2/0,3959,1117645,00.asp
Microsoft Corp. on Wednesday released patches for two critical flaws in Internet Explorer that enable an attacker to run code on a vulnerable PC.
These two vulnerabilities are also the first to potentially affect the recently released Windows Server 2003 operating system. However, the new version of Windows blocks both of these attacks in its default configuration, according to Microsoft security executives.
The first vulnerability is a buffer overrun that results from IE's failure to properly determine an object type returned from a Web server. An attacker would be able to exploit this problem simply by having a user with a vulnerable machine visit a malicious Web site set up for this purpose. The user would not have to take any other actions once on the site.
The second vulnerability is a result of IE not implementing a block on a file download dialog box. Both vulnerabilities would allow the attacker to run code on the user's machine.
The problems affect IE 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003. Microsoft executives say that the new security safeguards in Windows Server 2003 were designed specifically to prevent these kinds of attacks by default. Of course, customers often change the default configuration after installation.
"In the lock-down configuration, these vulnerabilities just don't fire," said Steve Lipner, director of security engineering strategy at Microsoft, based in Redmond, Wash. "We did it to achieve this benefit. That's a really significant thing."
Most installations of the new OS won't have a Web browser running very often anyway, Lipner said, unless it is to download security fixes or other updates. "You don't typically use this server for normal Web browsing," he said.
Microsoft officials have said that the first real test of its Trustworthy Computing initiative will be the security of its newest Windows release. They believe that if Windows Server 2003 shows real progress on security relative to older versions of Windows it will be a key validation for their effort.
And it won't be long before the first empirical evidence of that security is available. Lipner said Microsoft plans to release a comparison of the number of vulnerabilities found in Windows Server 2003 and older versions of the OS later this summer.
While the new patch is rated critical for all other versions of Windows, it is only a moderate risk for 2003 installations. The patch is available here.
http://www.microsoft.com/technet/tre...n/MS03-020.asp
-
June 5th, 2003, 11:34 AM
#2
Not an image or image does not exist!
Not an image or image does not exist!
-
June 5th, 2003, 04:50 PM
#3
Dr Evil
Hey Folks,
I tried to delete this thread about 5 times but it refuses to go away.There must be something wrong with AO.
Dr _Evil
-
June 5th, 2003, 08:13 PM
#4
try contacting one of the Admins and ask them to remove it for you
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|