Older Windows OSes need critical patch

Older Windows OSes need critical patch

A critical security advisory from Microsoft Corp. yesterday recommended immediate patching to prevent remote code execution through Internet Explorer 6 on all Windows operating systems before Windows Server 2003.

The browser vulnerability comes from a so-called iframe object that creates inline floating frames for Web pages from different domains.

All users of pre-2003 Windows versions are affected, Microsoft said, but users with administrative privileges have the greatest vulnerability.

Their browsers could allow an attacker to 'take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges,' security bulletin MS04-040 said.

Tim Keanini, chief technology officer of nCircle Network Security Inc. of San Francisco, said this type of user vulnerability seems to be replacing the strategy of direct attacks against servers. Malware is beginning to find its way into networks "by pull, not push," he said, because firewalls and intrusion detection systems have gotten better.

"It's way more effective to let the clients pull in the attack" by their innocent browsing or viewing of HTML e-mail messages in Microsoft Outlook, he said. "Opponents are going after the clients, and people don't see it coming."

Worms known as Bofra and MyDoom have already been tailored to exploit the security hole, according to the U.S. Computer Emergency Readiness Team at Carnegie Mellon University in Pittsburgh.

Specifically excluded from needing the patch are these four OSes:

  • Windows XP Service Pack 2

  • Windows XP 64-Bit Edition 2003

  • 32- and 64-bit Windows Server 2003.


For advice on dealing with the complex array of hot fixes and aftereffects of the patch on earlier Windows OSes, see the bulletin.

inside gcn

  • Global Precipitation Measurement of Florence

    USDA geotargets the press

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group