Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-02-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Releases IE Cumulative Patch (MS04-004)

Published: 2004-02-02
Last Updated: 2004-02-02 20:43:00 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Microsoft Releases Internet Explorer Cumulative Patch (MS04-004)

Earlier today Microsoft released patches for Internet Explorer versions 5.01, 5.5, and 6.0. This cumulative patch replaces the one that is provided by Microsoft Security Bulletin MS03-048.
The Bulletin is located at:

http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp
It is reported that this update eliminates a vulnerability in the cross-domain security model, a vulnerability involving drag-and-drop operations during dynamic HTML (DHTML) events, and the vulnerability involving URL parsing which contains special characters. Each of these vulnerabilities is rated at either Critical or Important for any version of Windows previous Windows Server 2003. They are listed as Moderate or Important for Windows Server 2003.
In addition, the basic authentication features of Internet Explorer have been modified to remove handling user names and passwords in HTTP, HTTPS, and XMLHTTP URLs. This change may have a dramatic effect on end-users that may be bookmarking or otherwise storing their passwords as part of the URL. Though this change does improve security, end users may complain about the loss of this ability.
For more information on the URL Parsing vulnerability please see:

http://isc.sans.org/diary.html?date=2003-12-23
Internet Storm Center

Scott Fendley - Handler on duty
Keywords:
0 comment(s)
Diary Archives