Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Microsoft Patches IFRAME Bug In IE 6

Microsoft on Wednesday released a patch to lock down Internet Explorer 6.0, which has been open to attack for the last month.

Although Microsoft's regularly scheduled security release date for December isn't until the 14th, the Redmond, Wash.-based developer occasionally posts patches "out-of-cycle" when it deems the problem particularly critical.

"Microsoft is releasing this security bulletin outside of its monthly security-bulletin release cycle to provide customers with a quality security update as soon as possible," a company spokesperson said.

The patch fixes the IFRAME vulnerability in Internet Explorer (IE) 6.0 that allowed hackers to create a buffer overflow, then gain control of the system. A working exploit has been available to attackers for nearly a month. In the interim, several attacks--including the Bofra worm and a six-hour-long stretch where a European ad-serving vendor directed innocent surfers to malicious Web sites--exploited the IFRAME vulnerability.

Microsoft tagged the unanticipated security bulletin and patch as "Critical," and recommended that customers update immediately via Windows Update. Users of all Windows editions with the exception of Windows XP Service Pack 2 (SP2) and Windows Server 2003 need to apply the patch. Versions of IE prior to 6.0 are also safe from the vulnerability.

  • 1