MS Patches IFRAME Vulnerability Out of Cycle Redmond Finally Responds to IFRAME Issue Sean Michael Kerner
In a surprise move, Microsoft has released an out-of-cycle patch for the recently exposed IFRAME vulnerability that affects non-Windows XP SP2 users.
Microsoft itself rated the vulnerability "critical" and is recommending that all affected customers (which is everyone that isn't running XP SP2) install the patch immediately.
Just last week Microsoft denied that it would be issuing a patch out of cycle for the recently discovered vulnerability.
Microsoft Security Bulletin MS04-040, which the company issued along with the patch, includes a summary of the scope and the causes of the "HTML Elements Vulnerability" that the new patch is intended to fix.
The summary attributes the cause of the vulnerability to, "An unchecked buffer in Internet Explorer processing of certain HTML elements such as FRAME and IFRAME elements." The standard HTML elements are commonplace on tens of millions of sites.
A malicious user that exploited the vulnerability "could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges," according to the bulletin.
On Nov. 2 security firm Secunia reported the discovery of the vulnerability and labeled it the IFRAME Buffer Overflow "Vulnerability." At the time they noted that it was caused due to a boundary error in the handling of certain attributes in the IFRAME HTML tag. A day later, a pair of security researchers independently reported additional exploits utilizing the IFRAME tag.
The IFRAME vulnerability garnered further interest last week when it was utilized in a combination attack with MyDoom to infect a number of popular ad servers.
The out-of-cycle patch is also particularly noteworthy, because it is directed at non-Windows XP SP2 users. Among those are users of the company's older operating systems, such as Windows 98, which are affected by the flaw. Microsoft has said in the past (and notes in its security bulletin) that it would only issue critical updates (as necessary) for the older systems.
That said, Windows XP SP2 users may still not be out of the woods. Variants of the so called Drag-and-Drop vulnerability continue to proliferate. Late last week the Greyhats Security Group, which positions itself as a "research group," posted a new drag and drop proof of concept it dubbed "LongNameVuln."
