Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

IE Flaws Focus of April Patch Tuesday

By Ed Oswald, BetaNews

April 11, 2006, 4:15 PM

Microsoft's Internet Explorer browser was the focus of a majority of the fixes in Tuesday's monthly security update from the Redmond company. Altogether, five updates were issued, including three "critical," one "moderate," and another rated "important."

The Internet Explorer update was issued as a cumulative fix addressing ten vulnerabilities within the browser. The patch includes a fix for the much-publicized "createTextRange()" flaw, as well as fixes for HTML parsing errors, script executions, and address bar spoofing issues among others. All the flaws could result in a remote code execution risk, Microsoft said.

Separate of the Microsoft announcement, security firm eEye Digital Security said Tuesday that its temporary fix for the createTextRange() issue was downloaded by 156,000 customers in nearly two weeks.

While Microsoft frowns on the practice of applying third-party patches, the firm released data that indicated 98 percent of IT professionals would deploy a third-party patch if the vulnerability was severe enough.

"This vulnerability needed to be dealt with immediately, and so our research team quickly developed and tested a patch that specifically addressed the issue without creating a loss of functionality," eEye co-founder Marc Maiffret argued.

The update for Internet Explorer is intended for all versions of the operating system according to the advisory. Additionally, it includes a modification to the way ActiveX controls are rendered in the browser to address a possible patent infringement issue.

Other critical updates include a patch for a flaw in the execution of the RDS.Dataspace ActiveX control, and for a vulnerability in Windows Explorer's handling of COM objects. By visiting a specially designed Web site, attackers could make Explorer fail. This could open a hole to allow code execution, says Microsoft. As with the other critical flaws, all versions of Windows are affected.

Additionally, an "important" update was issued that addresses issues with how Outlook Express 5.5 and 6 handle Windows Address Book, or .wab, files. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in its advisory.

Finally, an important update was issued for FrontPage Server Extensions. A flaw within the technology could allow for cross-site scripting, the company said. However, user interaction is needed to exploit the problem. "The script could spoof content, disclose information, or take any action that the user could take on the affected web site," Microsoft warned.

Beyond the patches, an update was issued Tuesday for the Malicious Software Removal Tool that would detect the Win32/Locksky, Win32/Valla and Win32/Reatle viruses.

Add a Comment (24 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By DavisMcCarn

edited Apr 20, 2006 - 6:45 AM

Unfortunately; the update for the address book, quite simply, breaks it and it is a file related problem. Restoring my registry to the day before the update still left Windows XP (SP2 with all previous updates) unable to open any WAB file. A system restore to before the patch fixed it; but, silly me, I had to go and let it install again, today.
Another side effect is that it also broke Roxio's Easy CD Creator Platinum, version 6.
Thanks, Bill!

Score: 0

By GoodThings2Life

posted Apr 13, 2006 - 7:32 AM

You know... I've tested this on a lot of different sites now, and I fail to see what the fuss is about.

The original 912945 broke a lot of systems due to faulty registration of mshtml.dll (oops), but the April Cumulative Update seems to be operating perfectly fine.

On all the sites I've gone to with Flash, Shockwave, and other ActiveX and Java controls, I have had no issues at all. Oh boo hoo about a "click".

Seems like something for people to whine about is all.

Score: 0

By jspratjr

posted Apr 13, 2006 - 2:46 PM

GoodThings2Life

Making sites user friendly and simple for ANY user should be the aim of all web developer's - thanks to this BS, any kind of interactive content within a flash file (that's EVERY flash file - if you're trying to keep .swf's small, that could run into quite a few) must be "clicked" first to activate (for example mouseovers). The issue is not with the fix to mshtml.dll registration, it's the added hassle put on users (and developers) for nothing.

Score: 0

By horsecharles

edited Apr 13, 2006 - 2:34 AM

BTW for those on win9x: the fix, as well as previous fixes, BREAKS Windows HTML Help Troubleshooting Guide. Go here to fix: http://www.msfn.org/board/?showtopic=46581
Courtesy of http://www.MDGX.com

Score: 0

By AlanS2001

posted Apr 12, 2006 - 3:39 PM

135 days on average for MS to fix security faults in IE. 21 or 27 (can't remember which one) days on average for Mozilla to fix security faults in its' browsers. The solutions is simple, don't use IE for anything other than Windows Update. Use Firefox for everything else (You can now even open up IE within a Firefox Tab, see http://ietab.mozdev.org/ for details).

Score: 0

By PeenieWallie

edited Apr 12, 2006 - 11:24 AM

Uh...so...the big question here is, should we uninstall the eEye Zero-Day patch (now apparently called createTextRange() patch). I checked, and, although your website says "eEye has engineered the patch to automatically remove itself when Microsoft’s official patch comes through", this did not happen. So, what's..uh..the deal? http://www.peeniewallie....04/eeye_screws_the.html

Score: 0

By GoodThings2Life

posted Apr 13, 2006 - 7:35 AM

Yeah, I'd say it's alright to remove it or simply not install it.

FYI, Security is important to me, most certainly, but I would NEVER use a 3rd party patch for security issue. It is better to use alternative workarounds.

Score: 0

By drumcat

posted Apr 11, 2006 - 7:58 PM

912945 is EVIL. You can get rid of it...

http://cityofrain.com/?p=567

Score: 0

By GoodThings2Life

posted Apr 13, 2006 - 7:27 AM

The initial release of 912945 was indeed crappy and EVIL.

However, the new release as part of April's updates has yet to cause me any grief. :)

Just an FYI.

Score: 0

By mjm01010101

posted Apr 11, 2006 - 8:52 PM

It's not evil if you never use IE. :)

I rolled it out at my workplace with an explanation. perhaps people will vote for patent reform?

Score: 0

By drumcat

posted Apr 11, 2006 - 8:55 PM

mjm, that may be true, but I have to write to the 90% crowd. :(

Score: 0

By klingon379

posted Apr 12, 2006 - 2:41 PM

I installed Microsoft's 912945 patch on Windows XP x64 Edition and as it turns out, ActiveX controls like Macromedia Shockwave Flash are apparently incompatible with the patch. Websites that use Flash show placeholders with a red "X" in place of the Flash content after I click on "Install" when prompted to install Flash. I am logged in as Administrator when this happens.

Score: 0

By ikelleigh

edited Apr 11, 2006 - 5:30 PM

Well this certainly screws over anyone using OBJECT or EMBED tags on their pages. Flash needs an extra CLICK to activate the content. Microsoft is making it easier and easier to switch to Firefox.

Score: 0

By Banquo

posted Apr 12, 2006 - 5:56 AM

In other words those stupid flash ads won't be in my face from now on unless I click and allow them? Hurray! As far as flash stuff I want to see I don't mind clicking if it means not having all the other annoying trash all over the page.

Score: 0

By jspratjr

posted Apr 13, 2006 - 3:24 PM

Sorry Banquo - you're not off the hook - it only disables "interactive" content .. the flash file itself will still load.

Score: 0

By zee7

posted Apr 12, 2006 - 12:55 PM

For real, B. I use NoScript and GreaseMonkey on Firefox for the exact same reason.

Score: 0

By Kompressor

posted Apr 11, 2006 - 5:51 PM

The Flash thing is due to a lawsuit.

Score: 0

By mjm01010101

posted Apr 11, 2006 - 6:14 PM

And lawsuit is due to a broken patent system.
Broken Patent System is due to corporate dominance.
corporate dominance is due to a lack of morals in white christian leadership.
Should I go on?

Score: 0

By GoodThings2Life

posted Apr 13, 2006 - 7:28 AM

I think that's a pretty flame-bait worthy response.

I agree only on the point of a broken patent system, but I think you're drawing ignorant assumptions on the rest.

Score: 0

By eternalblue

posted Apr 11, 2006 - 8:49 PM

It's amazing how you blame a Microsoft patent lawsuit indirectly on Christianity. That's just ignorant.

Score: 0

By Intrusive_Rogue

posted Apr 12, 2006 - 9:31 AM

"Men never do evil so completely and cheerfully as when they do it for a religious conviction."

Score: 0

By mjm01010101

posted Apr 11, 2006 - 8:55 PM

It's amazing peeople can't take a joke. I thought it was obvious, but whatever.

Score: 0

By Limulus

posted Apr 12, 2006 - 5:19 AM

You didn't use a smiley, so no, it wasn't ;)

Score: 0

By mjm01010101

posted Apr 11, 2006 - 4:50 PM

If the vuln was severe enough, I think I'd just shut down http for my company, update IDS defs or whatever method was nessesary. Almost always there is a solution that can avoid the clients.

Score: 0

Nov 29 - 1:41 PM ET Teacher must still surrender license in bizarre 'exposure to porn' suit

Nov 26 - 9:19 PM ET Spambots edge back online post-McColo

Nov 26 - 9:17 PM ET Connecting the Black Friday dots: What to expect from CE retail

Nov 26 - 9:09 PM ET Google admits that its iPhone voice search breaks Apple's rules

Nov 26 - 5:15 PM ET Apple uses DMCA as a weapon against an open source iTunes hack

Nov 26 - 5:13 PM ET US DHS eases off its '10+2' import rules

Nov 26 - 5:08 PM ET IBM unveils 'cloud validation' to harden security and lower TCO

Nov 26 - 2:15 PM ET Thanks, EchoStar: TiVo nears its first profitable year

Nov 26 - 1:49 PM ET Google integrates Earth-like controls in new Maps interface

Nov 26 - 11:28 AM ET Mozilla developers readying one more beta cycle for Firefox 3.1