By Chris Gonsalves
April 23, 2003
Microsoft Corp. issued patches Wednesday afternoon for a series of
newly discovered vulnerabilities in Internet Explorer and Outlook
Both patches are for vulnerabilities deemed critical, according to
Microsoft's official postings. Both could result in an attacker being
able to execute arbitrary code on a user's system, according to
In the case of IE, the patch closes four new holes including: a buffer
overrun vulnerability in URLMON.DLL; a vulnerability in IE's file
upload control; a flaw in the way IE handles third-party file
rendering; and a flaw in the way modal dialogs are treated by IE.
Of the four, the buffer overrun is the most troubling as it could
allow an attacker to run code on a user's system if the user were
lured to an attacker's Web site, officials said. The other
vulnerabilities could also result in a compromise of the user's
machine either through a malicious Web site or through a specially
crafted HTML e-mail message.
The Outlook Express vulnerability could allow an attacker to control a
user's machine through a MHTML (MIME Encapsulation of Aggregate HTML)
URL, either on a Web site or embedded in an HTML e-mail, officials
cautioned. The vulnerability exists in Outlook Express' MHTML URL
Handler that allows any file that can be rendered as text to be opened
and rendered as part of a page in Internet Explorer.
"As a result, it would be possible to construct a URL that referred to
a text file that was stored on the local computer and have that file
render as HTML. If the text file contained script, that script would
execute when the file was accessed. Since the file would reside on the
local computer, it would be rendered in the Local Computer Security
Zone. Files that are opened within the Local Computer Zone are subject
to fewer restrictions than files opened in other security zones,"
Microsoft officials wrote.
Patches for the two critical vulnerabilities are available on the
Microsoft site for Internet Explorer and Outlook Express.