Super patch fails to fix worst flaw in Internet Explorer

A Microsoft "super patch" for vulnerabilities in Internet Explorer fails to fix the most serious flaw, which affects the Secure...

A Microsoft "super patch" for vulnerabilities in Internet Explorer fails to fix the most serious flaw, which affects the Secure Socket Layer (SSL) and could expose personal information across the Internet.

This flaw, one of the most serious yet found in Internet Explorer, could undermine confidence in online commerce and make the browser a prime target for hackers, according to analyst group Gartner. ( Microsoft digital certificate flaw makes Explorer prime target).

The flaw, identified more than a week ago, concerns the way Internet Explorer handles digital certificates.

Speaking to earlier this week, Microsoft chief security officer Stuart Okin said the SSL flaw in Internet Explorer affected the Windows operating system. "We have to look at all the different versions of the Windows OS. I cannot give you a date when a patch will be available."

Okin urged users running e-commerce sites to display a banner prominently on their Web sites alerting visitors to double click on the "padlock" icon which appears when IE connects to a site running SSL.

He said this was the only way a user could check that the SSL digital certificate from the e-commerce site was authentic.

Mike Banahan, an open source Web consultant, said the Mozilla browser, which is used both on Windows and various free operating systems such as FreeBSD and Linux, suffered from a similar SSL problem.

But the security issue was resolved within hours of being found. "We are still waiting to hear from Microsoft when it will fix the problem," Banahan said.

Microsoft's latest patch fixes six new vulnerabilities, the most serious of which could enable an attacker to take control over a user's system, Microsoft said.

All currently supported versions of Internet Explorer, 5.01, 5.5 and 6.0 are affected, putting tens of millions of Internet users at risk. Microsoft has urged all users to apply the patch immediately, it said in security bulletin MS02-047.

Versions of Internet Explorer that are no longer supported could also be vulnerable, Microsoft noted.

The cumulative patch includes all previously released fixes for a software product.

The six newly patched vulnerabilities exist in various parts of Internet Explorer and mainly put client systems at risk, but Microsoft deems the super patch "critical" for Internet and Intranet servers too.

Three of the six new flaws enable an attacker to run code on a user's system, while other vulnerabilities could be exploited to read files on a user's computer, trick the user into downloading malicious code or run script on the user's system, Microsoft said.

The patch not only fixes the vulnerabilities but permanently disables two vulnerable ActiveX controls, one linked to the MSN chat application and one to a feature for terminal services sessions.

Microsoft's security bulletin and the patch can be found at:

Read more on IT strategy