Microsoft's response to broken Cumulative Patch MS03-032

On the 20th August Microsoft issued the Cumulative Patch MS03-032 for Internet Explorer. It dealt with several issues:

  • A vulnerability that involves the Internet Explorer cross-domain security model
  • A vulnerability that occurs because Internet Explorer does not correctly determine an object type that is returned from a Web server
  • A vulnerability that was discovered in the BR549.dll ActiveX control.

  • A change has been made to the way that Internet Explorer renders HTML files to address a flaw in the way that Internet Explorer renders Web pages
On Monday 08 Sept 2003 Neowin reported that Security expert http-equiv on Full-Disclosure had managed to exploit the flaw that the MS02-032 patch was supposed to fix.

A Microsoft Spokesperson responded to the concerns raised by Neowin and other sites today in this statement she issued to Neowin. "Microsoft is investigating public reports that one of the vulnerabilities that was fixed in the original update appears affected. It appears there is a new variation of the vulnerability that has caused the scare".

She continued "There are no reports of user being affected by this problem, but Microsoft are committed to keeping customers data safe and are aggressively investigating these reports".

She also gave advice for customers and what they should do in response to this issue. "Microsoft continues to advise customers to keep there windows systems up to date using Microsoft Windows Update website, specifically customers should still install the Internet Explorer cumulative update ms-03-032 to help protect the original vulnerability, as well as the other issues addressed by that security update". She also assured us that [I] "Upon completion of our [MS] investigation we will take appropriate action to protect our customers." [Release another patch -Ed]

Microsoft has also updated the Security Bulletin MS03-032 to V1.3 (September 8, 2003) Microsoft has added information regarding reports that the patch provided does not properly correct the Object Type Vulnerability

Download: All version except Microsoft Internet Explorer 6.0 for Windows Server 2003

Download: Microsoft Internet Explorer 6.0 for Windows Server 2003

View: Microsoft Security Bulletin MS03-032

View: Windows Update

View: Neowin - Microsoft Patch for Internet Explorer doesn't fix problem

Previous Story
USB 1.1 and 2.0 Update for Windows XP (KB822603)
Next Story
Devil Whiskey demo v1.0