IE Cumulative Update Is Messy

Microsoft released a security rollup for all versions of Internet Explorer (IE) on February 5; then, on February 12, the company released a hotfix that corrects an IE 6.0 authentication flaw the rollup introduces. (For more information about the hotfix, see Security Bulletin MS03-004: Cumulative Patch for Internet Explorer.) Two weeks after the cumulative rollup's original release, the company updated the rollup posting, but whether the files in the rollup changed is unclear. The cumulative update has been available for a month now, and no additional problems have surfaced (or at least been made public). If you distributed the original February 5 release, you might need to apply two additional hotfixes—one to correct the IE 6.0 authentication problem and one to restore HTML-based Help functionality in the browser. In a better world, Microsoft would have more respect for the time and effort required to distribute three separate updates and would reissue a cumulative update that includes both post-rollup hotfixes. IE security flaws are important because they expose both the browser and the underlying OS to compromise. The ability to affect the OS results from the fact that IE shares several components with Windows operating systems—a flaw in a shared component exposes the same security vulnerability in the underlying code. Because shared components load at system startup, a malicious user can exploit this class of security flaw even when IE isn't running, as, for example, when you access Web sites with another browser. The February 19 rollup version contains all previously documented security fixes, eliminates a new cross-domain security vulnerability, and introduces two new bugs. Cross-domain vulnerabilities arise when you browse multiple Web sites in one browser session. Data for each Web session must remain private to ensure that unrelated Web sites can't access one another’s session parameters. When data isn't secure, a clever Web host can programatically extract data from a session from a different domain. One of the new cross-domain vulnerabilities shows up when you enter information in a dialog box in response to a question on a Web page. A second flaw exists in how IE processes an HTML page that contains Help content—for example, information displayed with the showHelp() function. A system is vulnerable only when you browse a Web page that a malicious user has constructed to leverage either or both flaws. Both flaws let a smart Web site operator programatically access information about other sessions and either store and run malicious code on the local system or invoke an executable that's already present on the local system. Because of the potential damage, the February cumulative update has a critical security rating. Now for the complicated part: You need to download, install, and test the three updates listed below to secure IE browsers against the newly discovered vulnerabilities and to clean up problems the rollup introduces. After you apply the rollup to IE 6.0, users might experience authentication problems at subscription-based Web sites or when logging on to MSN email. The rollup also disables the browser’s ability to process HTML-based Help content on a Web page—that is, it disables the showHelp() function. You eliminate both problems by installing the authentication hotfix and the HTML help hotfix. The HTML hotfix restores most, but not all, of the showHelp() functionality. For more information about these patches and instructions for downloading them, read the associated Microsoft article. Note that the showHelp fix is platform specific; if you support multiple platforms, you must download the fix for each one by using the links provided in the reference article. 1. IE rollup, released February 5, 2003, "MS03-004: February, 2003, Cumulative Patch for Internet Explorer," 2. Post-rollup showHelp, released February 5, 2003, "HTML Help Update to Limit Functionality When It Is Invoked with the window.showHelp( ) Method," 3. Post-rollup IE 6.0 authentication hotfix, released February 11, 2003, "You Cannot Access Your MSN E-mail Account or Authenticate with a Web Site in Various Programs,"

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.