Microsoft fixes broken patch
The software giant releases a new patch for a security hole that had already been a conduit for attack by the Trojan horse program dubbed QHosts.
The patch--the fortieth that Microsoft has issued this year--seals several security holes in Internet Explorer 5.01, 5.5 and 6.0 for all versions of Microsoft Windows. The giant deemed the patch critical to all versions of Windows, except Windows Server 2003, which runs with more security in its default installation.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
The patch repairs a previous patch that didn't properly protect against two "object type" vulnerabilities. The vulnerabilities have been exploited by Trojan horse QHosts to compromise people's PCs when they browse a Web site that has attack code built in.
"An attacker could seek to exploit this vulnerability by hosting a specially constructed Web page," Microsoft stated in the advisory. "If the user visited this Web page, Internet Explorer could fail and could allow arbitrary code to execute."
That's exactly what happened at FortuneCity.com, when an unknown attacker was able to replace a banner ad on the site with code that copied the QHosts program to any computer that viewed the page with Internet Explorer. The program doesn't attempt to spread itself, so it isn't considered a computer worm or a virus.
Microsoft has been sued by a Los Angeles resident for its handling of security patches and for allegedly putting customers at risk by not offering proper security for its Windows operating system.