Microsoft Patches Three IE Security Holes

Microsoft issued fixes for three major security flaws in Microsoft Internet Explorer
(IE) yesterday. The fixes include a relatively well-known “phishing” (URL-spoofing)
vulnerability that appears in all standards-compliant browsers and could let attackers
silently redirect users to malicious Web sites. Microsoft made the updates available
outside of its usual monthly schedule for critical security fixes because the company
felt they were important enough to release immediately. Since the company moved to
the new schedule, Microsoft has said that it would occasionally do so when necessary.

“Due to the nature of this vulnerability and feedback from customers, we felt like
there was enough of a risk to release the fixes early,” Mike Reavey, a security program
manager for Microsoft’s Security Response Center, noted. “We did this in response
to the particular nature of the URL-spoofing issue. And also there was a lot of customer
feedback about this. While we like to maintain a predictable schedule, with this particular
issue we released it as soon as it was ready.”

Although the phishing vulnerability and one of the other vulnerabilities fixed this
week are rated important, the remaining security fix is rated critical. The nonphishing
patches involve flaws that could let attackers take control of Windows systems. All
three fixes apply to IE 5.01 and later running on Windows Server 2003; Windows XP;
Windows 2000; Windows NT Server 4.0, Terminal Server Edition (WTS); and NT 4.0. Microsoft
has issued one critical patch that addresses all three vulnerabilities. Most Windows
users can get the patch through Windows Update or automatically through Automatic
Updates. For more information, visit the Microsoft Web site.

http://www.microsoft.com/security/security_bulletins/20040202_windows.asp

Microsoft Patches Three IE Security Holes