IE Patch Precedes Year-End Updates

Responding to exploits that were beginning to circulate for recently reported vulnerabilities in Internet Explorer (IE), Microsoft released a critical update prior to its Dec. 14, 2004, “Patch Tuesday.” The critical patch was followed on Patch Tuesday by five important updates and a reissued bulletin for the GDI+ vulnerability reported in Oct. 2004. Customers will need to carefully review the bulletins to determine which patches they need to apply to their systems. (For additional information about these patches, see the chart “Dec. 2004 Update Summary“.)

The critical IE patch fixes a buffer overflow problem in the code that processes HTML elements such as FRAME, an independent, scrollable region within the IE window, and IFRAME, which gives Web authors additional control over the display of information in a frame. An attacker could exploit these vulnerabilities through a Web page or an HTML-based e-mail to get control of remote computers.

Because exploits for this vulnerability were beginning to circulate on the Internet, Microsoft released the patch when it was ready, rather than holding it until the second Tuesday of the month, its typical patch release day.