As first reported in WinInfo Daily UPDATE, on Friday Microsoft delivered an out-of-cycle critical security update for Microsoft Internet Explorer (IE). The update addresses three publicly disclosed IE vulnerabilities. In a bulletin that describes the update, Microsoft noted that it fixes the vulnerability that caused the Download.Ject virus and other problems.
"This bulletin addresses issues that could allow a malicious attacker to execute code on or take control of an affected computer user's system," a note I received from Microsoft said. "This could allow the attacker to install programs, view, change, or delete data, or create new accounts that have full privileges. Microsoft is committed to helping customers keep their information safe, and encourages all users to review, download and install this security update."
The comprehensive IE security fix is available now through Automatic Updates, Microsoft Windows Update, and the Microsoft Security Web site . Microsoft said that this fix will also be included in the version of IE that ships with the final version of Windows XP Service Pack 2 (SP2), which is due later this month. In addition, the company says that XP SP2 will include new "underlying architectural changes" that will mitigate these types of attacks.
The fix, which comes more than a month after attackers launched the Donwload.Ject attack, falls outside the company's planned monthly security-patch schedule because of the severity of the vulnerabilities. Last month, Microsoft released an interim fix of sorts (which the company called a configuration change) to help users combat Download.Ject. However, security researchers quickly denounced the configuration change as ineffective.
In related news, Microsoft also released an updated version of its Mydoom, Zindos, and Doomjuice Worm Removal Tool, which detects and removes various versions of the MyDoom worm (including variants A, B, E, F, G, J, L, and O), Zindos.A, Doomjuice.A, and Doomjuice.B. You can download the tool from Microsoft's Web site.