X

Microsoft patches holes in IE, Outlook

The software giant urges customers to apply updates for both applications to fix critical vulnerabilities that could let attackers run programs on a victim's PC.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
Microsoft once again has welcomed Wednesday with patches for security flaws discovered in its Windows applications.

The software giant warned customers that they should apply updates for both Internet Explorer and Outlook Express to fix critical security vulnerabilities that could let attackers run programs on a victim's PC.

"The No. 1 thing that we want people to walk away with is to install the updates so their machine is protected," said Stephen Toulouse, security program manager for Microsoft's security response center.

Last year, Microsoft began to release advisories midweek due to customer comments indicating such a policy makes it more likely that patches can be applied quickly. Both advisories can be found on the Redmond, Wash., company's Web site.

Internet Explorer 5.01, 5.5 and 6.0 all have four flaws, the worst of which could allow an attacker to take control of a person's computer if a victim were follow links to a Web site or read an HTML (Hypertext Markup Language) e-mail created by an attacker.

A so-called buffer overflow vulnerability, which an attacker can exploit by sending more input to a program than the application expects, could allow the owner of a Web site to run code on the person's computer. Buffer overflows are an old type of vulnerability that still crop up frequently in programs. The flaw occurs in a component of Internet Explorer that delivers Web addresses to the browser from other sources--for instance, if a person clicked on a URL in an e-mail or a Word document.

Two other vulnerabilities allow an attacker to place code on a Web site that would cause the browser to upload a file from a victim's computer. Another flaw affects how the application handles third-party files such as Adobe Systems' portable document format.

The flaw in Outlook Express is in the way that the application handles the encapsulation of HTML in e-mails. A software error in the component allows an attacker to run programs on a victim's computer.

Even Windows users who don't read or send e-mail using Microsoft Outlook Express or browse with Internet Explorer should install the update, the advisories stressed.

The advisories are the software giant's 14th and 15th this year. This is the company's second year of trying to secure its myriad of applications under its Trustworthy Computing Initiative.