Microsoft patches three critical holes in Explorer

Microsoft has released an out-of-cycle patch to fix three critical and previously disclosed holes in Internet Explorer.

Microsoft has released an out-of-cycle patch to fix three critical and previously disclosed holes in Internet Explorer. 

The company also released an updated version of a software tool for cleaning out the prolific MyDoom virus and its variants from infected systems. 

The latest cumulative patch is contained in Security Bulletin MS04-25 and is aimed at fixing a series of flaws in Explorer that were publicly disclosed in late June. 

Microsoft, which typically releases patches in monthly cycles, urged users to install the latest one as soon as possible because of potentially serious risks posed by the flaws. 

For instance, one of the holes has already been used in an attack called Download.Ject, in which vulnerable client systems are infected with a Trojan capable of capturing sensitive information, such as log-on names and passwords, or of fooling users into parting with their credit card numbers and ATM Pins. 

Microsoft released a tool to help users get rid of the Trojan on infected systems in June. On 2 July the company released a configuration change to Windows XP, Server 2003 and Windows 2000 that was designed to mitigate the risk posed by Download.Ject. 

Today's patch finally closes the so-called cross-domain vulnerability in Internet Explorer that Download.Ject takes advantage of, Microsoft said. 

There is no evidence that the other two flaws addressed by the latest patch have been exploited, said Alfred Huger, senior director of engineering at Symantec's security response centre. 

One of them is a buffer overflow vulnerability in a software component used to process bitmap image files. The other is a buffer overrun flaw in a function used to process Gif image files. Both flaws could give attackers a way to remotely execute malicious code on an infected system. 

"Both of these are a little more difficult to exploit than the first one," Huger said. "We haven't seen any exploits so far but that doesn't necessarily mean there aren't any," he said. 

Microsoft's latest patch replaces the MS04-004 cumulative update that was first issued by the company in February and later updated in April. 

Jaikumar Vijayan writes for Computerworld 


Read more on IT risk management