MS04-025 (KB 867801): Microsoft issued a cumulative update for Internet Explorer on July 30 that fixes three critical flaws with the browser. This security bulletin includes patches to stop the Download.Ject Trojan attacks that are “in the wild” and which succeeded against many machines in mid-June.
The fact that Microsoft posted the update without waiting for the company’s usual 2nd-Tuesday release date to roll around indicates the seriousness of the problem.
The fixes apply to both Internet Explorer 5.01 (SP2 or newer) and IE 6.0 (any version). The security hole affects versions of IE running on a wide range of Windows versions, including Windows XP (the original release and SP1), Windows 2000 (SP2, SP3, and SP4), Windows NT 4.0 Service Pack 6a (Workstation, Server, and Terminal Server Editions), Windows Server 2003, and the 64-bit versions of Windows XP and Windows Server 2003.
The fixes are available through both Windows Update and Automatic Updates, as well as from the Microsoft Security Web site.
Microsoft’s previous response to the attack was to release a configuration change for Windows, which we analyzed in the July 8 paid version of the Windows Secrets Newsletter. The company said the Registry change would prevent Download.Ject and similar attacks from infecting users’ systems.