Microsoft Patches Critical IE Flaw

Prompted by a report from security company Foundstone, Microsoft on Wednesday issued a security bulletin and patch for a buffer overrun vulnerability affecting Internet Explorer. The flaw actually lies in the Microsoft Data Access Components package, which is installed by default on Windows Me and Windows 2000, but MDAC is utilized by IE for remote database connectivity.

All versions of Windows running IE 5.01 and higher are potentially at risk - except Windows XP. If successfully exploited using a Web page or HTML e-mail, the buffer overrun could give an attacker complete control over an IIS server or client system running Internet Explorer.

"Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take appropriate action immediately," reads the TechNet security bulletin.

Microsoft has released a patch that can be installed on Windows 98, Me, NT4 Service Pack 6a, and Windows 2000 SP2 or SP3. The fix will also be included in the next service packs for Internet Explorer 5.01 and Internet Explorer 6. The vulnerability does not affect Windows XP, which uses a later version of MDAC.