Microsoft Issues Special Patch for IE Hole

Microsoft this week released an update to Internet Explorer to fix a security flaw that was discovered a month ago and has since been exploited to attack users.

The update fixes a problem in the way IE handles the "frame" and "iframe" HTML tags. The problem was disclosed early last month and has since been exploited by a variant of the MyDoom worm and used to infect computers with variants of the Bofra worm.

Security experts warned in early November that code exploiting the security hole was circulating on the Internet. Attackers could gain complete control over a victim's computer by exploiting the flaw, according to Danish security company Secunia and the U.S. Computer Emergency Readiness Team (CERT).

Unscheduled Release

Microsoft, which has criticized the "irresponsible disclosure" of the vulnerability, released the update for its Web browser outside of its normal monthly patching schedule and as soon as it could get it done, says Stephen Toulouse, a security program manager at Microsoft.

"We released this today in response to some of the attacks we have seen against customers," he says. The scope of the attacks, however, was not widespread, according to Toulouse.

Microsoft nevertheless deems the update "critical" and urges all users to install it immediately. Windows XP users who have installed Service Pack 2 (SP2) are an exception; those systems are not vulnerable, according to Microsoft.

On desktop systems, the vulnerability primarily affects IE 6 with SP1 when installed on several Microsoft operating systems including XP, Windows 2000, and Windows 98.

Several Windows NT Server 4.0 products are also vulnerable, according to Microsoft.

More details on Microsoft's update can be found in Security Bulletin MS04-040.