Microsoft patches three critical browser flaws

The software giant hopes that the trifecta of fixes will lasso the Download.Ject Trojan horse.

Ina Fried
Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
2 min read
Microsoft on Friday released a patch for Internet Explorer designed to close three critical holes in the browser, including one that paved the way for the Download.Ject Trojan horse.

The software maker offered a work-around earlier this month and had promised in recent days that a comprehensive fix would be coming soon. Microsoft has also worked with law enforcement to shut down the Russian server that had been the source of malicious code.

The new patch, which is available from Microsoft's security Web site, closes the hole, and Microsoft encouraged all IE users to update their browsers. Technically, the flaw is what's known as a cross-domain vulnerability, through which an attacker is able to cross a security boundary within the browser to deliver and execute malicious code.

Microsoft security program manager Stephen Toulouse said that the company was already working on an Internet Explorer update when it became aware in late June that the vulnerability was being exploited. "Once we became aware of the specific attack on our customers, that's when we began to mobilize," Toulouse said, pointing to the company's work with law enforcement and Internet service providers.

The patch also addresses two other publicly known flaws in IE, both related to image processing and both rated as critical because they could allow malicious code to be run on a vulnerable system.

Toulouse said the company does not know of any attacks related to these two flaws, but he added, "We want to make sure that customers have this update so they are protected."

Security company Symantec encouraged Web surfers to apply the patch.

"With the widespread use of Microsoft Internet Explorer in both the enterprise and consumer environments, it is critical that security patches be applied immediately," Alfred Huger, senior director of Symantec Security Response, said in a statement.

Some have said that IE vulnerabilities have become so common that Web surfers should consider other browsers.

Toulouse noted that the company has improved IE in the forthcoming Windows XP Service Pack 2, adding that those running that version of the operating system were not vulnerable to the attack because of changes the company made to the internal structure of the browser.