kayodeok's Weblog

Friday 30 July 2004

MS04-025: Cumulative Security Update for Internet Explorer

This is an out of cycle patch for Internet Explorer which fixes the following vulnerabilities:

• Navigation Method Cross-Domain Vulnerability

  A remote code execution vulnerability exists in Internet Explorer because of the way that it handles navigation methods. An attacker could exploit the vulnerability by constructing a malicious web page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could run malicious script code in the Local Machine security zone in Internet Explorer. If a user is logged on with administrative privileges, this could allow the attacker to take complete control of an affected system.

• Malformed BMP File Buffer Overrun Vulnerability

  A buffer overrun vulnerability exists in the processing of BMP image file formats that could allow remote code execution on an affected system. If the user is logged on with administrative privileges an attacker who successfully exploited this vulnerability could take complete control of the affected system. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

• Malformed GIF File Double Free Vulnerability

  A buffer overrun vulnerability exists in the processing of GIF image file formats that could allow remote code execution on an affected system. If the user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

It also replaces Microsoft Security Bulletin MS04-004 and the following Knowledge Base Articles:

• KB 836117: You cannot log on to a Web site or complete an Internet transaction, or you receive an HTTP 500 (Internal Server Error) Web page
• KB 837209: An HTTPS Web page does not download completely in Internet Explorer 5.5
• KB 839571: Connections do not use LAN automatic configuration and proxy settings in Windows Server 2003
• KB 817786: An Access Violation Occurs When You Refresh a Web Page in Internet Explorer

In addition, this update increases the enforcement of the cross-domain security model in Internet Explorer.

However, if you have installed the update referenced by KB 840309, you may may experience problems with your desktop startup after installing this update

So which one of all Internet Explorer Vulnerabilies reported by Secunia has been fixed? At present, I can only identify the Local Resource Access and Cross-Zone Scripting Vulnerabilities as fixed. I will update if I find more information.

References

• MS04-025: Cumulative Security Update for Internet Explorer (Technet Article)
• MS04-025: Cumulative Security Update for Internet Explorer (Knowledge Base Article)
• Microsoft Internet Explorer Multiple Vulnerabilities (secunia)