To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/applications/0,39024653,10002768,00.htm

IE flaw - Microsoft releases patch
Protect your 'zones'

By Robert Lemos

Published: Thursday 06 February 2003

Microsoft on Wednesday advised Internet Explorer users to apply a patch for a vulnerability that could allow a website administrator to steal data or take control of a person's PC.

The flaw occurs in Internet Explorer's domain security, the technology that keeps applications running in the internet domain from accessing data on the PC or local domain, for example.

"In the worst case, this vulnerability could allow an attacker to load a malicious executable onto the system and execute it," the advisory said. The update is available from Microsoft's website.

Internet Explorer uses security domains, or 'zones', to limit what certain websites and HTML (Hypertext Markup Language) pages can do to a person's PC. From the most restricted to the least restricted, the zones are categorised as Restricted, Internet, Trusted and Local. By taking advantage of this flaw, a web page could bypass the protections and use the local, or least restricted, zone.

The patch came two days after the software giant pulled a patch for its Windows NT 4.0 systems, MS02-071, released in December.

"We started getting back reports that some configurations were having problems," said Iain Mullholland, security programme manager with Microsoft security response. "We don't take pulling a patch lightly. We are working on it as hard as we can."

While the occurrence doesn't happen often, Microsoft pulled a patch for Exchange in June 2001, after customers complained the fix had broken their software.