Microsoft has released an out-of-cycle security bulletin
and patch to fix a critical hole in Internet Explorer that has been
widely exploited by attackers and used in conjunction with
compromised ad banners.
The vulnerability was first disclosed on 24 October and exists in
the iFrame tags of Internet Explorer, allowing hackers to exploit a
buffer overflow flaw to take complete control of a compromised
system. They could then direct users to websites through
compromised ad banners, where the site could download malicious
code to the user's PC.
Microsoft also reissued three of its fixes from October for users
of Windows XP Service Pack 1, who were not automatically offered
the updates through Microsoft's Windows Update and Automatic
Updates service. This is because they may be SP1 users who have
downloaded the XP SP2 patch but have not yet installed it, said
Microsoft.
