ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Microsoft breaks monthly patching habit

Published: 03 Feb 2004 09:20 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft broke its once-a-month schedule on Monday to fix a critical flaw in Internet Explorer that could allow malicious coders to take control of an unwary user's PC.

The most serious problem, known as a cross-domain security vulnerability, affects all versions of Internet Explorer running on Windows NT, 2000 and XP. A person with a vulnerable system who clicks on a link in an HTML email or goes to a hostile Web site could allow an attacker to run code on their computer, Microsoft said in its advisory.

The seriousness of the issue forced the company to release the latest fixes before its normally scheduled date, the second Tuesday of the month.

"We evaluated the public nature of the vulnerabilities and heard from customers that this was impacting them, and we made the decision to publish," said Stephen Toulouse, security program manager with Microsoft's Security Response Centre.

The update also fixes two other security flaws, including one that gained a lot of attention for its ability to make fake Web sites look real. Known as the phishing flaw, the problem allows scam artists to forge the address in the Internet Explorer browser's address bar to display an address different from the actual site to which the user was being sent.

Scammers typically use the flaw to build a site that looks like an official Web site and then send bulk email messages that draw unsuspecting victims to the site. In January, the scam directed users to a site that looked like the official Federal Deposit Insurance Web site, asking for personal information to verify their identity. Instead, the fake Web site, based in Pakistan, collected the information in an attempt to steal from victims.

A third flaw allows a malicious Web site or HTML email to download a file to a user's computer, without asking permission, when the user clicks on a specially crafted link.

Microsoft advised Windows users to update their software quickly.

Breaking from Microsoft's monthly patch schedule will not happen often, said Toulouse.

"We do believe very much in sticking to the once-a-month thing -- our customers like the predictability," he said. "But we have always said that if we have to go out of the cycle to protect our customers we would do that."

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
106 out of 190 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

1 comment

  1. Good article but you did not supply a link to the... Anonymous

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:




Related Jobs

Software Development Manager - Sheffield

Senior Analyst/Developer (Oracle and SQL)

.NET Web Development Manager

Sentry Posts Blog

The Technological Singularity

Are we approaching a point when machines may wake up and become self or seemingly self aware? Vernor Vinge in 1993 seemed to think so. He refered to this event as the "technological... More

2 comments

Mobile Operating Systems: MOPS At a Gl...

Mobile Operating Systems: At a Glance Author: Eric Everson, Founder MyMobiSafe Since posting my blog exposing the security Google G1 security issue, I have received a few emails... More

Post a comment

Met Police catch test cheats

I saw the funny side of this press release, I can just imagine the two people sitting in the car giving the answers to the questions. Why they had wires running from under the bonnet... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers