Microsoft rushes out IE fix

By Derek Sooman on December 2, 2004, 12:32 PM
Breaking its normal security patch cycle, Microsoft has rushed out a fix for a critical bug in Internet Explorer versions from 6.0 up to but not including Windows XP Service Pack 2 (SP2). The bug in question is in the way IE handles two attributes of the "frame" and "iframe" HTML elements, which has already been exploited using overly long SRC and NAME attributes to cause IE to execute an attacker's shell code.

"Normally, one would be subject to attack by browsing a Web page that has the attack built into it, but with very old, unpatched e-mail clients, it is also possible to be compromised through HTML e-mail."

As mentioned above, XP SP2 systems and Windows Server 2003 are not affected by the bug. Patches are available for Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98.

User Comments: 2

Got something to say? Post a comment
danielwang said:
I wouldn't call this 'rush'. The fix was released 30 days after the vulnerability was announced, and 28 days after the first exploit was discovered. Given how fast exploits have become, the fix is just not fast enough.
Julio said:
I think when they say rush they mean it was outside their schedule. The fix was for the iframe exploit that got some press a week ago or so, after AdFalk (european-based ad server solution) was compromised, this of course especially affected its customers that include The Register and sites on the Rydium Network (TS former ad partner).
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.