A Microsoft "super patch" for vulnerabilities in Internet Explorer
fails to fix the most serious flaw, which affects the Secure Socket
Layer (SSL) and could expose personal information across the
Internet.
This flaw, one of the most serious yet found in Internet Explorer,
could undermine confidence in online commerce and make the browser
a prime target for hackers, according to analyst group Gartner. (
Microsoft digital certificate flaw makes Explorer prime
target).
The flaw, identified more than a week ago, concerns the way
Internet Explorer handles digital certificates.
Speaking to CW360.com earlier this week, Microsoft chief security
officer Stuart Okin said the SSL flaw in Internet Explorer affected
the Windows operating system. "We have to look at all the different
versions of the Windows OS. I cannot give you a date when a patch
will be available."
Okin urged users running e-commerce sites to display a banner
prominently on their Web sites alerting visitors to double click on
the "padlock" icon which appears when IE connects to a site running
SSL.
He said this was the only way a user could check that the SSL
digital certificate from the e-commerce site was authentic.
Mike Banahan, an open source Web consultant, said the Mozilla
browser, which is used both on Windows and various free operating
systems such as FreeBSD and Linux, suffered from a similar SSL
problem.
But the security issue was resolved within hours of being found.
"We are still waiting to hear from Microsoft when it will fix the
problem," Banahan said.
Microsoft's latest patch fixes six new vulnerabilities, the most
serious of which could enable an attacker to take control over a
user's system, Microsoft said.
All currently supported versions of Internet Explorer, 5.01, 5.5
and 6.0 are affected, putting tens of millions of Internet users at
risk. Microsoft has urged all users to apply the patch immediately,
it said in security bulletin MS02-047.
Versions of Internet Explorer that are no longer supported could
also be vulnerable, Microsoft noted.
The cumulative patch includes all previously released fixes for a
software product.
The six newly patched vulnerabilities exist in various parts of
Internet Explorer and mainly put client systems at risk, but
Microsoft deems the super patch "critical" for Internet and
Intranet servers too.
Three of the six new flaws enable an attacker to run code on a
user's system, while other vulnerabilities could be exploited to
read files on a user's computer, trick the user into downloading
malicious code or run script on the user's system, Microsoft said.
The patch not only fixes the vulnerabilities but permanently
disables two vulnerable ActiveX controls, one linked to the MSN
chat application and one to a feature for terminal services
sessions.
Microsoft's security bulletin and the patch can be found at:
www.microsoft.com/technet/security/bulletin/MS02-047.asp