First Win 2003 patch is really for IE

Critical fix becomes moderate problem

Wed 4 Jun 2003 // 23:52 UTC

The first security patch that needs to be applied to Windows 2003 Server validates, rather than tarnishes, the design by default approach taken in developing Microsoft's flagship server OS.

Microsoft took the highly unusual step of ringing around journalists this afternoon to put this positive spin on the announcement of a patch for Internet Explorer designed to fix two newly discovered security vulnerabilities. The cumulative patch also includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.

Simon Conant, a Security Program Manager at Microsoft, explained that although the vulnerabilities covered by the patch are 'critical' for versions of IE running on machines running MS clients, such as XP, the problem is only 'moderate' for Internet Explorer on Windows Server 2003.

The lesser risk for Win Server 2003 arises because, by default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks attacks based on the vulnerabilities which on other systems might allow an attacker to execute code on a user's system.

Despite this mitigating factor, Conant still encourages Windows Server 2003 users to apply Microsoft's patch because the "underlying issue is still there".

Although this is an IE problem, it still gives risk to apply the first patches to Windows Server 2003 but Conant said the lesser impact of the vulnerabilities on that platform demonstrate that Microsoft's more security-conscious approach is paying off.

Be that as is may, let's not forget that the flaws addressed by the patch are potentially devastating for the vast majority of Microsoft's installed base (who are running XP, Win 2000, 98, Me and NT).

A security advisory for Microsoft explains the underlying cause of the problems.

First up, there's a buffer overrun vulnerability that occurs because IE "does not properly determine an object type returned from a web server". In common with such buffer overflow exploits this creates a mechanism for attackers to inject hostile code onto vulnerable boxes by either tempting users to visit maliciously constructed Web sites or sending an HTML email that attempted to exploit the vulnerability.

There's also a flaw that results because IE does not implement an appropriate block on a file download dialog box. Again this vulnerability creates a possible means for an attacker to run arbitrary code on a user's system.

Credit for discovering the evil duo goes to eEye security.

More details on the issue, and links to patches, can be found in Microsoft's advisory. Microsoft strongly recommends that you apply its "critical" (except for Win Server 2003) security patches. ®

Topics

Special Features

Vendor Voice

Resources

Software

First Win 2003 patch is really for IE

Critical fix becomes moderate problem

Related Stories

More about

TIP US OFF

Other stories you might like

House passes bill banning Uncle Sam from snooping on citizens via data brokers

October 2025 will be a support massacre for a bunch of Microsoft products

Korean researcher details scheme abusing Apple's third-party pickup policy

Industrial systems integrating digitalisation

911 goes MIA across multiple US states, cause unclear

TSMC expects customers to pay more for chips fabbed overseas

NASA will send astronauts to patch up leaky ISS telescope

185K people's sensitive data in the pits after ransomware raid on Cherry Health

Admin alert: Copilot app lands on Windows Server 2022

Micron scores $6.1B CHIPS Act cash for New York and Idaho fabs

Google laying off staff again and moving some roles to 'hubs,' freeing up cash for AI investments

EU tells Meta it can't paywall privacy

About Us

Our Websites

Your Privacy