IE and ASN.1 Vulnerabilities Require Patches

Security bulletins and patches have been issued for critical vulnerabilities in Internet Explorer (IE) and the Abstract Syntax Notation 1 (ASN.1) library, which implements a common protocol that Windows applications use to exchange data. These vulnerabilities could leave systems exposed to takeover by malicious code, so users should take immediate corrective action even if they think it unlikely that an unscrupulous programmer could exploit these vulnerabilities.

Critical IE Vulnerabilities

The update for IE covers versions 5.01, 5.5, and 6.0 and is a cumulative release of previous patches plus new patches to eliminate three recently discovered vulnerabilities. Due to the technical nature of the vulnerabilities and the complex steps required to exploit them, users may underestimate the risk of the exposure. However, without these patches malicious code could be downloaded from a Web site or included with an e-mail message, allowing a user to gain control of the vulnerable computer.

The IE update, which Microsoft deemed important enough to release prior to its scheduled Feb. 2003 bulletin, includes a change to the functionality of IE: it removes support for handling user names and passwords in Hypertext Transfer Protocol (HTTP) and HTTP with Secure Sockets Layer (HTTPS) URLs. After installing the patch, the URL syntax http(s)://username:password@server/resource.ext is no longer supported in IE or Windows Explorer. Eliminating this syntax reduces the ability of malicious Web sites to trick site visitors into revealing personal information or to redirect those visitors to a Web site the user did not intend to visit. However, legitimate Web sites that use this syntax will have to revise their design to work with the patched versions of IE.