Microsoft released the first security patch for Windows Server 2003. The patch corrects problems with Internet Explorer (IE) 6.0 (including IE 6.0 for Windows 2003), IE 5.5, and IE 5.01.
eEye Digital Security discovered the two problems. The first problem is due to faulty code that causes a buffer overrun condition to exist. The second problem involves a flaw in the way IE determines object types based on HTML object tags. Either flaw can let an attacker execute arbitrary code on a user's system.
Microsoft security bulletin MS03-020 (Cumulative Patch for Internet Explorer) corrects the two new problems. The new patch also includes all the fixes from previous IE 6.0, IE 5.5, and IE 5.01 patches. Microsoft rates the two new problems as "critical" for all browser versions except IE 6.0 for Windows 2003, which is rated as "moderate." Microsoft said the moderate rating stems from the "Enhanced Security Configuration" settings in Windows 2003, which disallow certain activity within IE, including the inability to run scripts, ActiveX controls, Microsoft Virtual Machine (VM) code, certain types of HTML content, file downloads, and various other activity.
If users have disabled IE's "Enhanced Security Configuration" on Windows 2003, they should probably consider the risk as "critical." For example, many terminal server setups might have that configuration disabled.
Regarding the cumulative nature of the patch, some users have long wondered why Microsoft rolls new patches in with older patches, thereby forcing users to install older patches if they want to be protected against new vulnerabilities. Users have pointed out that cumulative patches are very handy, but including new patches (without allowing for a standalone patch) removes administrators' fine-grain control over how systems are patched, and sometimes old patches cause new problems for otherwise stable systems. Furthermore, rolling the new in with the old without allowing for separate patches clouds the problem of vulnerability tracking.
The arguments make some sense. For example, users might look back next year at the list of security patches for IE and see "MS03-020, Cumulative Patch for Internet Explorer" and think that it contains no new security fixes but is merely a collective patch of all the patches they've already installed. Users might decide they have all the necessary patches installed already and not install the patch related to MS03-020, thereby leaving their systems exposed to a critical vulnerability.