Microsoft Security Bulletin MS03-032 - 822925

[Jerry Bryant [MSFT]]

Title: Cumulative Patch for Internet Explorer (822925)
Date: 08/20/2003
Software: Microsoft Internet Explorer 5.01; Microsoft Internet Explorer 5.5;
Microsoft Internet Explorer 6.0; Microsoft Internet Explorer 6.0 for Windows
Server 2003
Impact: Two new vulnerabilities, the most serious of which could enable an
attacker to run arbitrary code on a user's system if the user either browsed
to a hostile Web site or opened a specially crafted HTML-based email
message.
Maximum Severity Rating: Critical
Bulletin: MS03-032

The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-032

What Is It?
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-032 which concerns a vulnerability in the versions of Internet
Explorer listed above. Customers are advised to review the information in
the bulletin, test and deploy the patch immediately in their environments,
if applicable.

More information is now available at
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

If you have any questions regarding the patch or its implementation after
reading the above listed bulletin you should contact Product Support
Services in the United States at 1-866-PCSafety (1-866-727-2338).
International customers should contact their local subsidiary.


--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Hector Santos]

Jerry, if you have the power to make a change here or make recommendations
to the authors, I suggest the following.

Every time I get one of these "cumulative patch" reports, I am at a lost on
whether this is new or old.

My suggestion is when the title says "Cumulative" then someone in the
report, the list of the cumulated patches are listed.

As it sounds now, the title makes it seem there isn't nothing new (for
those who are up-to-date) yet the impact statement makes it sound there is
actually BRAND new here.

If that is the case the TITLE should simple indicate "NEW" with additional
informative that indicates that the patch to fix this new flaw also includes
the fixes for past flaws.

So is this a new flaw or not? <g>

 

[Kent W. England [MVP]]

From the bulletin:
"In addition to these vulnerabilities, a change has been made to the way
Internet Explorer renders HTML files. This change addresses a flaw in
the way Internet Explorer renders Web pages that could cause the browser
or Outlook Express to fail. Internet Explorer does not properly render
an input type tag. A user visiting an attacker's Web site could allow
the attacker to exploit the vulnerability by viewing the site. In
addition, an attacker could craft a specially formed HTML–based e-mail
that could cause Outlook Express to fail when the e-mail was opened or
previewed."

That is one particular annoyance that no one here will miss.