Microsoft has
released an important new patch for Internet Explorer’s critical IFRAME flaw,
which was disclosed in early November 2004.


Most likely because
of the rapid proliferation and appearance of new variants of the Bofra worm,
Microsoft has published a Security Bulletin, MS04-040
“Cumulative Security Update for Internet Explorer,” which addresses this threat
and other vulnerabilities in Internet Explorer. This Security Bulletin is
unusual because it breaks with Microsoft’s regular once-a-month release
schedule, and Microsoft has previously stated that it will only break from that
schedule if there is something of critical importance.

This cumulative
update replaces the recent MS04-038 cumulative
update but it is incompatible with some hot fixes so read the actual bulletin
carefully if you have any doubts about installing this patch.

Caution should be
exercised in installing these updates because Microsoft has also taken the
unusual step of placing a warning right at the top of this bulletin saying,
“This update may not include hotfixes that have been released since the release
of MS04-004
or MS04-038.
Customers who have received hotfixes from Microsoft or from their support
providers since the release of MS04-004 or MS04-038 should not install this update. Instead
customers should deploy update 889669.”

However, since this
threat is already being exploited the need to safely update or patch this
vulnerability is very great despite the changes in functionality it may cause
in some versions of IE.

As with other recent
IE updates the ShowHelp() control will no longer work after installing this
patch unless you also install the HTML help update. See Microsoft Knowledge Base Article 811630 for details.

If you already
installed the IE cumulative patch provided in MS04-004 then you are prevented from visiting URLs of
the type “” If not, then that will occur
when you install this update. Microsoft addresses that problem in Microsoft Knowledge Base Article 832414.

This update can be
removed in most cases. You might also want to glance at Knowledge Base Article 889293 “Cumulative
Security Update for Internet Explorer.”

Applicability – IE 6

Specifically, this

  • IE 6 on Windows 2000 SP1, SP3, and SP4
  • IE 6 on Windows XP SP1 and Windows XP
    SP1 64-bit Edition
  • IE 6 SP1 on Windows NT Server 4.0 SP1, Windows
    NT Server 4.0 SP6a, Windows NT Server 4.0 Terminal Server Edition SP6,
    Windows 98, 98SE, or Windows ME.

Not affected are:

  • IE 5.x
  • IE 6 on Windows XP SP2
  • IE 6 for Windows Server 2003 or Windows Server
    2003, 64-Bit Edition

Risk level – Critical

The exploit for this
vulnerability is well-known and attacks are could become epidemic in nature (from
Bofra, for
example). In addition, this is a disclosure of information threat and
exploiting it could also let a remote attacker run arbitrary code on the
vulnerable machine.

Mitigating factors

Windows XP SP2 is
not vulnerable.

Fix – Apply the correct patch

You must read the
entire bulletin carefully because there are several different patches depending
on exactly which OS and IE version and patch level you are running. You may
also find that you need to perform a manual update even if you normally use the
automatic update feature.

Final word

I applaud Microsoft
for relatively quick action on a vulnerability that they learned about only 30
days ago, the same time the exploit was published.

From a personal
standpoint, I’m also happy to see that, having gone ahead with a full, clean XP
SP2 install on my primary system, I don’t need to do anything about this

I’m not so happy
about the fact that these types of buffer overrun threats seem to be popping up
in all types of different code. It makes you wonder how many undiscovered
buffer overruns there are out there waiting to be recognized or exploited.

Also watch for …

  • The Skulls/Symbian
    B worm
    affects Series 60 smart cell phones by replacing menu icons
    with puzzle pieces (Skulls/Symbina A used skulls) but is even more
    dangerous because it can spread via Bluetooth protocols to any compatible
    devices within a short range.
  • Secunia reports that
    SUSE has released critical updates for several Linux servers.
  • reported
    that Mozilla has a release
    of its Thunderbird 1.0 e-mail management software.
  • Another report
    warns that phishers are becoming more sophisticated, creating Web sites
    and getting them listed on Google searches to lure in the unsuspecting.
  • In the no good deeds go unpunished area,
    reports that the creator of Nmap, a network mapping tool intended to be
    used by network administrators but also sometimes used by malicious
    individuals, says he is being hassled by the FBI who wants to take a peek
    at some of the logs from his Web site, presumably to try and locate
    some specific hackers. Nmap’s creator says this isn’t unusual in itself,
    but the volume of requests has increased.
  • Debian has released updates for libgd and
  • Vulnet reports that Microsoft
    has filed suits against seven XXX spammers under the provisions of the CAN-SPAM
    which requires sexually explicit e-mail offers to be
    specially marked.
  • The Ohio legislature recently passed a
    serious anti-SPAM
    bill, HB383
    which includes criminal penalties.