Microsoft Patches IFRAME Bug In IE 6

Microsoft on Wednesday released a patch to lock down Internet Explorer 6.0, which has been open to attack for the last month.

Although Microsoft's regularly scheduled security release date for December isn't until the 14th, the Redmond, Wash.-based developer occasionally posts patches "out-of-cycle" when it deems the problem particularly critical.

"Microsoft is releasing this security bulletin outside of its monthly security-bulletin release cycle to provide customers with a quality security update as soon as possible," a company spokesperson said.

The patch fixes the IFRAME vulnerability in Internet Explorer (IE) 6.0 that allowed hackers to create a buffer overflow, then gain control of the system. A working exploit has been available to attackers for nearly a month. In the interim, several attacks--including the Bofra worm and a six-hour-long stretch where a European ad-serving vendor directed innocent surfers to malicious Web sites--exploited the IFRAME vulnerability.

Microsoft tagged the unanticipated security bulletin and patch as "Critical," and recommended that customers update immediately via Windows Update. Users of all Windows editions with the exception of Windows XP Service Pack 2 (SP2) and Windows Server 2003 need to apply the patch. Versions of IE prior to 6.0 are also safe from the vulnerability.More details about the vulnerability, the patch, and possible workarounds, can be found in the MS04-040 bulletin on Microsoft's TechNet site.

Also on Wednesday, Microsoft corrected a problem in Windows Update, the primary patch-delivery service for individuals.

"We discovered that customers running Windows XP SP1 have not been offered the updates that apply to their computer from the October monthly release," said the Microsoft spokesperson. "This is due to the fact that these updates are already included in Windows XP SP2, and this is the update that Windows Update and Automatic Updates presents to these users."