Two serious security flaws that could allow an attacker to
take over a user's system have been identified on all current
versions of Microsoft's Internet Explorer (IE) web browser,
including the one that ships with Windows Server 2003.The flaw affects IE versions 5.01, 5.5, 6.0
and 6.0 for Windows Server 2003, Microsoft said in
Security Bulletin MS03-020. The bulletin includes a software
patch for all browser versions that the software vendor urges users
to install immediately.
With the announcement, Microsoft released its
first security patch for Windows Server 2003, two months after the
launch of what Microsoft said was one of its most secure products
ever.
Microsoft was quick to stress that it had not
failed to deliver on its security promise, but that the flaws
demonstrate that its "secure by design, secure by default and
secure by deployment" approach is paying off.
"Windows Server 2003 in its default
configuration is not vulnerable to this attack. Because of that,
the severity rating on the predecessor platforms is critical, but
the severity rating on Windows Server 2003 is moderate," said Jeff
Jones, senior director of Trustworthy Computing at Microsoft.
IE on Windows Server 2003 is locked down as
users are not expected to use a server computer for general web
browsing. The software has a "reduced attack surface area", Jones
said. However, because the underlying vulnerability still exists,
Microsoft does want people to apply the patch, he said.
Although Jones sees this as "a proof point for
Trustworthy Computing", Forrester Research senior analyst Laura
Koetzle warned that it is too early to draw any conclusion on the
level of security in Windows Server 2003.
"It is good that in the default configuration
Windows Server 2003 is not vulnerable to this. However, I don't
think we should jump the gun saying that Windows Server 2003 is
clearly more secure than previous versions of Windows. It is a bit
premature to make that decision," Koetzle said.
The first vulnerability exists because IE can
automatically start downloading and running software if it is
flooded by requests for software downloads. This allows an attacker
to run arbitrary code on a user's computer, Microsoft said.
The second vulnerability exists because of a
buffer overrun flaw in the way IE reads "object tags" in web pages,
Microsoft said. Object tags are used to embed objects such as
Office documents or media files in a web page. Buffer overrun flaws
typically allow an attacker to gain control of a victim's
computer.
Microsoft has a tiered system for rating
security issues. Vulnerabilities that could be exploited to allow
malicious internet worms to spread without user action are rated
critical. Issues that are rated important could still expose user
data or threaten system resources. Vulnerabilities rated moderate
are hard to exploit because of factors such as default
configuration or auditing, or difficulty of exploitation.
Joris Evers writes for IDG News
Service