Microsoft fixes IE iFrame flaw
Microsoft has released a security update to fix the iFrame flaw discovered last month and exploited a week later by the Bofra/MyDoom virus.
The update is described as crtical as it fixes a hole in Internet Explorer which would allow an attacker to take control of a computer if the user is logged in with administrator privileges and clicks on a specially crafted link. By default, new accounts on Windows XP are unrestricted admin accounts.
Shortly after the vulnerability was publicised, under criticism from Microsoft, a new virus was spawned. Some security companies believed it to be a version of MyDoom and others an entirely new species: Bofra. However they were all receiving reports of customers having been infected.
Microsoft was then under pressure to push out a fix as fast as possible while making sure it ran properly on various configurations of its products and didn’t cause conflicts with others or create further problems. The patch for the flaw issued yesterday fixes the vulnerability as it appears in IE 6 running on Windows versions from NT 4 and 98 to XP and the 64 bit version. Systems running Windows XP with Service Pack 2 are not affected.
Microsoft dscribes the patch as ‘a cumulative update that addresses a publicly disclosed security vulnerability in Internet Explorer known as “iFrame” that could allow a malicious attacker to run malicious software on the user’s computer.’
Although the patch is described as ‘the’ update or December, the timing is out of kilter with the usual bulletin cycle, scheduled for the second Tuesday of every month. And indeed Microsoft says that this will not disrupt December’s bulletin.
The patch is a cumulative one and also includes fixes from October that may not have been downloaded by users of XP with Service Pack 1 because they were included in SP2, and if you didn’t upgrade to SP2, you will have missed out. YOu can now get these fixes without installing SP2, although Microsoft urges customers to do this as well.
To get the patch now visit the Microsoft web site.