By Brian Livingston and Paul Thurrott
MS04-040 (889669): In an effort to close an Internet Explorer security hole that had become the target of a few initial exploits across the Internet, Microsoft released a new cumulative patch for IE on Dec. 1, rather than waiting for the Redmond company’s regular release date, the 2nd Tuesday of the month.
We warned in the Nov. 18 issue of Windows Secrets about a number of unpatched security flaws in Internet Explorer. This included a vulnerability known as IFRAME, due to the HTML tag that the exploit takes advantage of.
Microsoft at that time had no patch available to close the holes. Security firms and even governments from around the world urged users to stop running IE and to switch to an alternative browser. In one example, the Finnish Communications Regulatory Authority (FICORA) advised computer users to adopt a different browser than IE because of the recent spate of unpatched flaws.
The IFRAME vulnerability, among other threats, currently appears on the Net in new variants of the MyDoom worm called Bofra.A and Bofra.B.
Bofra-based exploits can infect a user’s system through such innocent-appearing means as banner ads that are displayed on Web sites. The ads can download infected programs to a machine, although not to Windows XP machines that have Microsoft’s recent Service Pack 2 (SP2) installed.