A Cumulative Patch for Internet Explorer
Microsoft (Quote, Company Info) Wednesday issued a cumulative patch for its Internet Explorer browser that also protects against several newly discovered vulnerabilities that it labeled as "critical."

Microsoft said the patch combines all the previously released patches for IE 5.01, 5.5 and 6.0 and also addresses several vulnerabilities that would allow an attacker to use a malicious Web site or specially-formed HTML email to access certain privileges on a user's computer.

The first new flaw patched involves the cross-domain security model of IE, which is intended to keep windows of different domains from sharing information. Microsoft said the flaw could allow an attacker to execute script in the user's My Computer zone, run an executable file already present on the local system, or view files on the computer.

To exploit the flaw, an attacker would have to host a malicious Web site that contained a page specifically designed to exploit the vulnerability, and then persuade a victim to visit the site. Once the user is on the site, Microsoft said the attacker could run malicious script by misusing the method IE uses to retrieve files from the browser cache, causing that script to access information in a different domain.

The second new vulnerability patched would allow an attacker to run arbitrary code on a user's system because Internet Explorer doesn't properly determine an object type returned from a Web server, Microsoft said. This vulnerability could be exploited either through convincing a user to visit a malicious Web site or through an HTML email.

The cumulative patch also sets the Kill Bit on the BR549.DLL ActiveX control, which was originally implemented to support the Windows Reporting Tool. IE no longer supports the tool, which has been found to contain a security vulnerability. The new patch prevents the control from running or from being reintroduced onto a user's system.

Microsoft has also used the cumulative patch to change the way IE renders HTML files, in order to address a flaw that could cause IE or Outlook Express to fail. Currently, IE does not properly render an input tag, Microsoft said, which would allow an attacker to craft a malicious Web site that would cause the browser to fail. The flaw would also allow an attacker to create a specially-formed HTML email that would cause Outlook Express to fail when the email is opened or previewed.

Finally, the patch modifies an earlier patch in order to cover specific languages.

http://www.internetnews.com/dev-news/article.php/3066741