Microsoft Plugs 'Critical' IE Hole

Microsoft has issued a special cumulative patch for its Internet Explorer browser, addressing three new security holes rated "critical," including one that was used in a virus attack in July.

Patches rated "critical" mean that not installing the patch may lead to catastrophic damage to a PC because an attack could give a cracker complete control of that system, including the capability to reformat the hard drive, according to Microsoft.

Off Schedule and Urgent

Ordinarily, Microsoft saves up patches for a monthly release, to make it easier for customers and IT staffs. However, when the company rates a security flaw "critical," it often releases the patch as soon it's ready, the better to protect users.

"It's probably better to do it this way," says Rob Enderle, principal analyst at technology analysis firm The Enderle Group. "It gives people the option of fixing [the problems right away]. They did the right thing."

Microsoft intends the patch to head off any repeats of the attack which took advantage of multiple weaknesses in Windows and Microsoft's Internet Information Server. The so-called download.ject or Scob virus tried to steal users' data or to create "zombies" for a later planned denial of service attack.

Microsoft issued a patch for one of the weaknesses as well as workarounds to block similar attacks, but it did not patch a second hole quite as quickly. This patch takes care of that one.

Also, this latest release is a "cumulative" update, which contains all previously released security patches for IE. It fixes security flaws in all currently supported versions of Windows, from Windows 98 and Me through Windows XP. This cumulative patch and a description of the problems it solves is available from Microsoft.

Secure Service Pack Due

All of the patches issued to date are also built into the forthcoming final release of Windows XP Service Pack 2, which is expected to ship in the next few weeks. SP2, as it is called, is going through an advanced state of user testing that Microsoft calls "release candidate" (RC) testing. Once test users give it a thumbs-up, the company will release it as a final version of SP2. The current test version is the second release candidate, so it is known as RC2.

Users of the current release candidate are already safer than those with the shipping copy of the browser, according to Microsoft officials. That's because Microsoft's IE developers have reengineered part of the browser so SP2 does not contain security weaknesses that were part of IE's original design.

"We made architectural changes in the [browser's] 'Local Machine Zone'," says Stephen Toulouse, security program manager for Microsoft's Security Response Team. The Local Machine Zone is part of the browser where security permissions are generally more relaxed than its "Internet Zone." There, security is set significantly higher by default since many, if not most, attacks occur on the Internet.

Patches Urged for All

However, several recent worm and virus attacks exploited weaknesses in the browser's architecture. One attack targets what is called a "cross-domain vulnerability," penetrating the Local Machine Zone, and making it easier for attackers to take over users' PCs. Security experts liken the technique to breaking into someone's garage and then simply opening the door from the garage into the house because it's not locked. SP2 contains architectural changes that "mitigate download.ject and similar classes of attacks," according to a Microsoft spokesperson.

Users of SP2 RC2 should apply the patches because the release candidate does not contain the latest fix, although it does have the architectural changes, says a Microsoft spokesperson. The final release of Windows XP SP2 will contain both, she says.

Besides the fix for the "cross-domain vulnerability," the latest cumulative patch also contains fixes for two other security flaws that Microsoft rates as "critical" on its four-tier severity rating scale. These two other patches fix holes in the way that IE processes and displays two leading graphics formats, BMP and GIF files.