Enterprise Software

Microsoft releases timely patch for critical IFRAME flaw

A month after the critical IFRAME vulnerability in Internet Explorer was disclosed, Microsoft has released a special patch to fix it. This flaw is already being targeted by a new worm.

Microsoft has released an important new patch for Internet Explorer's critical IFRAME flaw, which was disclosed in early November 2004.


Most likely because of the rapid proliferation and appearance of new variants of the Bofra worm, Microsoft has published a Security Bulletin, MS04-040 "Cumulative Security Update for Internet Explorer," which addresses this threat (CAN-2004-1050) and other vulnerabilities in Internet Explorer. This Security Bulletin is unusual because it breaks with Microsoft's regular once-a-month release schedule, and Microsoft has previously stated that it will only break from that schedule if there is something of critical importance.

This cumulative update replaces the recent MS04-038 cumulative update but it is incompatible with some hot fixes so read the actual bulletin carefully if you have any doubts about installing this patch.

Caution should be exercised in installing these updates because Microsoft has also taken the unusual step of placing a warning right at the top of this bulletin saying, "This update may not include hotfixes that have been released since the release of MS04-004 or MS04-038. Customers who have received hotfixes from Microsoft or from their support providers since the release of MS04-004 or MS04-038 should not install this update. Instead customers should deploy update 889669."

However, since this threat is already being exploited the need to safely update or patch this vulnerability is very great despite the changes in functionality it may cause in some versions of IE.

As with other recent IE updates the ShowHelp() control will no longer work after installing this patch unless you also install the HTML help update. See Microsoft Knowledge Base Article 811630 for details.

If you already installed the IE cumulative patch provided in MS04-004 then you are prevented from visiting URLs of the type "username:password@host.com." If not, then that will occur when you install this update. Microsoft addresses that problem in Microsoft Knowledge Base Article 832414.

This update can be removed in most cases. You might also want to glance at Knowledge Base Article 889293 "Cumulative Security Update for Internet Explorer."

Applicability - IE 6

Specifically, this affects:

  • IE 6 on Windows 2000 SP1, SP3, and SP4
  • IE 6 on Windows XP SP1 and Windows XP SP1 64-bit Edition
  • IE 6 SP1 on Windows NT Server 4.0 SP1, Windows NT Server 4.0 SP6a, Windows NT Server 4.0 Terminal Server Edition SP6, Windows 98, 98SE, or Windows ME.

Not affected are:

  • IE 5.x
  • IE 6 on Windows XP SP2
  • IE 6 for Windows Server 2003 or Windows Server 2003, 64-Bit Edition

Risk level – Critical

The exploit for this vulnerability is well-known and attacks are could become epidemic in nature (from Bofra, for example). In addition, this is a disclosure of information threat and exploiting it could also let a remote attacker run arbitrary code on the vulnerable machine.

Mitigating factors

Windows XP SP2 is not vulnerable.

Fix – Apply the correct patch

You must read the entire bulletin carefully because there are several different patches depending on exactly which OS and IE version and patch level you are running. You may also find that you need to perform a manual update even if you normally use the automatic update feature.

Final word

I applaud Microsoft for relatively quick action on a vulnerability that they learned about only 30 days ago, the same time the exploit was published.

From a personal standpoint, I'm also happy to see that, having gone ahead with a full, clean XP SP2 install on my primary system, I don't need to do anything about this update.

I'm not so happy about the fact that these types of buffer overrun threats seem to be popping up in all types of different code. It makes you wonder how many undiscovered buffer overruns there are out there waiting to be recognized or exploited.

Also watch for …

  • The Skulls/Symbian B worm affects Series 60 smart cell phones by replacing menu icons with puzzle pieces (Skulls/Symbina A used skulls) but is even more dangerous because it can spread via Bluetooth protocols to any compatible devices within a short range.
  • Secunia reports that SUSE has released critical updates for several Linux servers.
  • News.com reported that Mozilla has a release candidate of its Thunderbird 1.0 e-mail management software.
  • Another News.com report warns that phishers are becoming more sophisticated, creating Web sites and getting them listed on Google searches to lure in the unsuspecting.
  • In the no good deeds go unpunished area, Silicon.com reports that the creator of Nmap, a network mapping tool intended to be used by network administrators but also sometimes used by malicious individuals, says he is being hassled by the FBI who wants to take a peek at some of the logs from his insecure.org Web site, presumably to try and locate some specific hackers. Nmap's creator says this isn't unusual in itself, but the volume of requests has increased.
  • Debian has released updates for libgd and libgd2.
  • Vulnet reports that Microsoft has filed suits against seven XXX spammers under the provisions of the CAN-SPAM Act which requires sexually explicit e-mail offers to be specially marked.
  • The Ohio legislature recently passed a serious anti-SPAM bill, HB383 which includes criminal penalties.

Editor's Picks

Free Newsletters, In your Inbox