[ISN] Microsoft releases patch to plug IE vulnerability

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,97957,00.html

By Jaikumar Vijayan 
DECEMBER 01, 2004 
COMPUTERWORLD

As expected, Microsoft Corp. today released an out-of-cycle security
bulletin and patch designed to fix a critical hole in the Internet
Explorer Web browser that is already being widely exploited by
attackers.

The company also announced a change to Windows Update for three
previously issued fixes from October for some users of Windows XP
Service Pack 1.

The vulnerability addressed by Microsoft's latest bulletin, MS04-040,
was first disclosed on Oct. 24 and exists in the iFrame tags of
Internet Explorer. The buffer overflow flaw allows attackers to take
complete control of a compromised system and can be exploited by
getting users to visit Web sites where malicious code can be
downloaded.

A proof-of-concept exploit named Bofra that takes advantage of the
iFrame flaw has been available for several days and was used in
launching attacks via banner ads last week that redirected users to
rogue Web sites.

"We are aware of some proof-of-concept code and public attacks" that
take advantage of the flaw, said Stephen Toulouse, security program
manager at Microsoft's security response center. That's why Microsoft
is urging users to apply the latest patch as soon as possible, he
added.

The flaw doesn't affect users who have already installed XP SP2, he
said.

Meanwhile, Microsoft today reissued three of its fixes from October
for users of SP1 who may not have been offered the updates earlier.  
The problem involves SP1 users who may have downloaded the SP2 patch
but have not installed it on their computers yet.

Microsoft's Windows Update and Automatic Updates service wouldnt have
offered the October fixes automatically to such users, Toulouse said.  
Today's updates fixes the problem for those users.