CNET también está disponible en español.

Ir a español

Don't show this again

Microsoft patches IE, Windows

The company scrambles to fix numerous Internet security holes in the Internet Explorer browser and the Windows operating system.

Culture
Microsoft is scrambling to fix numerous Internet security holes in both the Internet Explorer browser and the Windows operating system.

Microsoft expects to release a patch today for a problem with Windows 95 and 98 that could let a malicious Web site operator or sender of HTML email invade a visitor's or recipient's computer.

In a buffer overrun situation, the attacker floods a field, in this case the address bar in the browser, with more characters than it can hold. Web addresses or local file addresses that are too long for the address bar can cause Windows to crash and force the characters that didn't fit into the URL entry field to go into memory, where they may be executed when the computer is restarted.

The problem occurs in Windows' networking software, and an exploit could work with any browser, Microsoft said.

Microsoft also released a patch for a bug in the Internet Explorer browser, versions 4.0 and 5.0, that exposes computers to malicious code disguised as common file extensions with suffixes like ".jpg," ".mov" or ".txt" and that get emailed as attachments. The bug takes advantage of an ActiveX control that lets archive files known as "cabinet," or ".cab," files be launched and executed from the user's machine.

Microsoft credited Spanish bug hunter Juan Carlos Garcia Cuartango for discovering the bug, which he originally described as a flaw that made Microsoft's email management program, Outlook, vulnerable to attack.

Microsoft patched the hole in the browser, preventing the ActiveX control from launching unidentified ".cab" files downloaded from the user's machine.

Patching a buggy patch
Microsoft acknowledged that a patch for one security hole reopened another previously solved security problem in IE. Microsoft said it fixed what it termed a "regression error" in the patch and rereleased it.

The buggy patch fixed a problem known as the IFrame ExecCommand vulnerability that opened a user's computer to inspection by Web site operators. The security hole let the Web site operator bypass IE's security zones by running JavaScript code from within a frame, where the browser did not detect the JavaScript code.

JavaScript is a Web programming language developed by Netscape Communications for executing actions on a computer without user interaction. It has been the source of dozens of browser security holes for Netscape and Microsoft. Frames are small windows within windows on a Web page.

Close
Drag
Autoplay: ON Autoplay: OFF