CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Microsoft releases patch for IE flaw

The software giant issues a critical update for its browser, just two days after removing a Windows NT fix for a software problem.

Microsoft on Wednesday advised Internet Explorer customers to apply a patch for a vulnerability that could allow a Web site administrator to steal data or take control of a person's PC.

The flaw occurs in Internet Explorer's domain security, the technology that keeps applications running in the Internet domain from accessing data on the PC or local domain, for example.

"In the worst case, this vulnerability could allow an attacker to load a malicious executable onto the system and execute it," the advisory said.

Internet Explorer uses security domains, or "zones," to limit what certain Web sites and HTML (Hypertext Markup Language) pages can do to a person's PC. From the most restricted to the least restricted, the zones are categorized as Restricted, Internet, Trusted and Local. By taking advantage of this flaw, a Web page could bypass the protections and use the local, or least restricted, zone.

The patch came two days after the software giant pulled a patch for its Windows NT 4.0 systems, MS02-071, released in December.

"We started getting back reports that some configurations were having problems," said Iain Mullholland, security program manager with Microsoft security response. "We don't take pulling a patch lightly. We are working on it as hard as we can."

While the occurrence doesn't happen often, Microsoft pulled a patch for Exchange in June 2001, after customers complained that the fix had broken their software.