MS issues security warnings for Internet Explorer

Posted on 6 Feb 2003 at 12:23

Microsoft has issued a security warning regarding Internet Explorer.

Security Bulletin Security Bulletin MS03-004 is actually a cumulative patch containing previously released fixes for IE 5.01, 5.5, 6.0. It also, however, tackles two new vulnerabilities relating to domain information.

It seems IE has a flaw that allows one Web site to potentially access information from another domain when using certain dialog boxes. It means an attacker could craft a Web site to run malicious script through the use of such a dialog box. In the worst case, the attacker could load malicious code on to a system and also invoke an executable present on the local system

The important point is that it affects all machines with IE installed. Users of alternative browsers are still affected if they have IE on their systems. Microsoft has given the problem a severity rating of 'critical'.

To find which service packs are required for which versions you can consult Security Bulletin MS03-004.

A related cross-domain vulnerability allows involves Internet Explorer's use of the HTML-related showHelp function. Without executing proper security checking, this functionality lets an attacker access user information and invoke or load executables.

Microsoft has also issued another security update for Windows XP. This relates to user privilege settings and the means by which an attacker can override restricted access to an XP system. You can read more info about this problem in Security Bulletin MS03-005.