Microsoft’s Security Bulletin MS03-04 includes a cumulative patch for several versions of Internet Explorer and addresses two new critical vulnerabilities. The patch for IE 5.01 supersedes the patches released in conjunction with MS02-068 and MS02-066, and other parts of this bulletin apply to IE 5.5 and IE 6.0.

The new vulnerabilities are cross-domain exploits involving a dialog box or the ShowHelp function. The attacker could take advantage of the flaws to run existing code on the target system or install new code.

The two new Improper Cross Domain Security Validation vulnerabilities have been assigned dialog box and ShowHelp functionality identifiers. If you need to explain this to nontechnical managers and/or users, there is a separate bulletin for them.

The cumulative patch and one of the new vulnerabilities apply to Internet Explorer 5.01, 5.5, and 6.0. The other new vulnerability applies only to IE 5.5 and 6.0. Both vulnerabilities are rated critical.

Risk level–critical
Although Microsoft has rated this patch as critical, I have some doubts about that rating, as I explain in the final analysis below. Since the patch will alter the way some help features work, you should evaluate the potential danger to your systems and decide whether this is really a critical patch for your systems.

Mitigating factors
These attacks require the visitor to visit a Web page designed to exploit the vulnerabilities or open an HTML e-mail that redirects the browser. Outlook Express 6.0 and Outlook 2002 would normally open HTML e-mails in the Restricted Sites Zone, as would Outlook 98 and Outlook 2000, if they had the recommended e-mail updates installed. This would tend to insulate users who simply view an e-mail message with a link to a malicious Web site, but if the user actually clicks on the link, that would eliminate any protection.

Microsoft warns that applying the patch in MS03-004 will disable window.showHelp(), and it will not work again until the latest “HTML Help control 811630 update” is installed. (You can get this from Windows Update.) When that installation is completed, the window.showHelp() function will work again but with limited capabilities. The shortcut help function will be disabled in some circumstances. Microsoft also warns that there is no uninstall for this patch and it will require a system reboot.

Final analysis
Microsoft is off to a rough start this year. Although there have only been four security bulletins released, two of them were listed as being of a critical nature.

However, I question why Microsoft rated this fix as critical. As I understood the plan, Microsoft was going to rate only the most widespread and vital problems as “critical,” and I was under the impression that this was supposed to apply mostly to attack vectors that would, if exploited, cause collateral damage to other systems—much like the SQL Slammer problem slowed Internet access for many people and companies. This appears to be nothing more than another annoying IE bug that has a slight chance of being exploited in the real world.