MS Patch Day: 10 Flaws Fixed in Monster IE Update

By Ryan Naraine  |  Posted 04-11-2006 Print


EUC with HCI: Why It Matters

Updated: Microsoft ships a browser security makeover 18 days after hackers launch a wave of zero-day attacks; patches also cover holes in MDAC, Windows Explorer, Outlook Express and FrontPage Server Extensions.

Microsoft's dominant Internet Explorer browser has undergone a major security makeover to plug 10 vulnerabilities that puts millions at risk of PC takeover, address bar spoofing and information disclosure attacks.

The monster IE update includes a fix for the "createTextRange()" code execution flaw that caused zero-day drive-by downloads and a significant modification to the way the browser renders certain ActiveX controls.

The ActiveX changes result from the ongoing patent dispute between Microsoft and Eolas Technologies and will now require IE users to manually interact with certain embedded multimedia content. A "compatibility patch" was also released to let IE users turn off the changes through June 2006.

In all, Microsoft shipped five bulletins with patches for 14 different vulnerabilities in a range of Windows products.

Three the five bulletins are rated "critical," the company's highest severity rating.

In addition to the IE update, critical bulletins were issued for a code execution bug in the MDAC (Microsoft Data Access Components Function) in Windows and a remotely exploitable flaw in Windows Explorer.

Microsoft recommends that Windows users treat the MS06-013 bulletin as a high-priority update to protect against an active attack vector that used social engineering tricks to lure IE users to Web sites rigged with bots, spyware, back doors and other Trojan downloaders.

Click here to read more about social engineering traps used to trick users.

The IE update applies to users of Windows 2000 (SP4 only), Windows XP (SP1 and SP2), and Windows Server 2003 (including SP1).


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.

By submitting your information, you agree that cioinsight.com may send you cioinsight offers via email, phone and text message, as well as email offers about other products and services that cioinsight believes may be of interest to you. cioinsight will process your information in accordance with the Quinstreet Privacy Policy.

Click for a full list of Newsletterssubmit