Microsoft skips some critical IE patches

By Chris Mosby The "squeaky wheel gets the grease" seems to be Microsoft’s motto lately, as several patches for Internet Explorer (and components used by IE) were released out-of-cycle last month and on this week’s Patch Tuesday. Meanwhile, flaws in IE that are equally severe — but were getting less media attention — were left unpatched.

Serious IE ActiveX flaw left unpatched

The so-called SetSlice vulnerability, which had reports of being actively exploited via Internet Explorer, was patched this week with Microsoft’s release of MS06-057 But another IE flaw, which is just as severe, was ignored, perhaps because it wasn’t causing the Redmond company as much trouble.

On Sept. 14, Microsoft released security advisory 925444 to warn customers about a flaw in its DirectAnimation Path ActiveX Control. This advisory stated:

• “Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly and we are aware of limited attacks that are attempting to use the reported vulnerability. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports.

  “The ActiveX control is the Microsoft DirectAnimation Path ActiveX control, which is included in Daxctle.ocx.

  “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.”
  

Apparently the “limited attacks,” as they were called, were treated as just that. On Sept. 19, Microsoft released a different security advisory, 926043, involving a flaw in how IE handles VML (Vector Markup Language). This hole was already being exploited in a more widespread fashion. After that, not much more was heard from Microsoft on the issue. The company did update the advisory on Sept. 27, one day after an out-of-cycle patch for the VML flaw was released.



This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Related posts:

1. Microsoft monthly patches
2. Microsoft security patches
3. Microsoft warns of unpatched flaw in Internet Explorer
4. Don’t ignore two critical, reissued patches
5. More Security Patches