Neowin.net

On the 20th August Microsoft issued the Cumulative Patch MS03-032 for Internet Explorer. It dealt with several issues:

• A vulnerability that involves the Internet Explorer cross-domain security model
• A vulnerability that occurs because Internet Explorer does not correctly determine an object type that is returned from a Web server
• A vulnerability that was discovered in the BR549.dll ActiveX control.
  
• A change has been made to the way that Internet Explorer renders HTML files to address a flaw in the way that Internet Explorer renders Web pages

On Monday 08 Sept 2003 Neowin reported that Security expert http-equiv on Full-Disclosure had managed to exploit the flaw that the MS02-032 patch was supposed to fix.

A Microsoft Spokesperson responded to the concerns raised by Neowin and other sites today in this statement she issued to Neowin. "Microsoft is investigating public reports that one of the vulnerabilities that was fixed in the original update appears affected. It appears there is a new variation of the vulnerability that has caused the scare".

She continued "There are no reports of user being affected by this problem, but Microsoft are committed to keeping customers data safe and are aggressively investigating these reports".

She also gave advice for customers and what they should do in response to this issue. "Microsoft continues to advise customers to keep there windows systems up to date using Microsoft Windows Update website, specifically customers should still install the Internet Explorer cumulative update ms-03-032 to help protect the original vulnerability, as well as the other issues addressed by that security update". She also assured us that [I] "Upon completion of our [MS] investigation we will take appropriate action to protect our customers." [Release another patch -Ed]

Microsoft has also updated the Security Bulletin MS03-032 to V1.3 (September 8, 2003) Microsoft has added information regarding reports that the patch provided does not properly correct the Object Type Vulnerability

Download: All version except Microsoft Internet Explorer 6.0 for Windows Server 2003
Download: Microsoft Internet Explorer 6.0 for Windows Server 2003
View: Microsoft Security Bulletin MS03-032
View: Windows Update
View: Neowin - Microsoft Patch for Internet Explorer doesn't fix problem

Microsoft originally issued this bulletin on August 20th, 2003. Subsequent to issuing the security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability.

"Microsoft also identified a problem that specifically affects Windows XP systems that are configured as web servers serving ASP.NET web pages and causes clients connecting to the web server to receive an error when they attempt to view pages on the site. This problem only affects Windows XP computers that have installed Internet Information Services (IIS) 5.1 (which is not installed by default) and configured with the .NET Framework version 1.0 to serve ASP.NET based Web pages--it does not affect other versions of Windows. Microsoft has published a knowledge base article 827641 that provides steps to work around this issue while maintaining the level of protection provided by the security patch.

Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems."