Older Windows OSes need critical patch

Older Windows OSes need critical patch

A critical security advisory from Microsoft Corp. yesterday recommended immediate patching to prevent remote code execution through Internet Explorer 6 on all Windows operating systems before Windows Server 2003.

The browser vulnerability comes from a so-called iframe object that creates inline floating frames for Web pages from different domains.

All users of pre-2003 Windows versions are affected, Microsoft said, but users with administrative privileges have the greatest vulnerability.

Their browsers could allow an attacker to 'take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges,' security bulletin MS04-040 said.

Tim Keanini, chief technology officer of nCircle Network Security Inc. of San Francisco, said this type of user vulnerability seems to be replacing the strategy of direct attacks against servers. Malware is beginning to find its way into networks "by pull, not push," he said, because firewalls and intrusion detection systems have gotten better.

"It's way more effective to let the clients pull in the attack" by their innocent browsing or viewing of HTML e-mail messages in Microsoft Outlook, he said. "Opponents are going after the clients, and people don't see it coming."

Worms known as Bofra and MyDoom have already been tailored to exploit the security hole, according to the U.S. Computer Emergency Readiness Team at Carnegie Mellon University in Pittsburgh.

Specifically excluded from needing the patch are these four OSes:

  • Windows XP Service Pack 2

  • Windows XP 64-Bit Edition 2003

  • 32- and 64-bit Windows Server 2003.

For advice on dealing with the complex array of hot fixes and aftereffects of the patch on earlier Windows OSes, see the bulletin.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected