New IE Security Rollup

Microsoft released a new IE security rollup that eliminates four new script-based vulnerabilities.

Paula Sharick

May 26, 2003

3 Min Read
ITPro Today logo in a gray background | ITPro Today

In keeping with the bimonthly schedule of updates, Microsoft released a security rollup for Internet Explorer (IE) 5.0 through IE 6.0 Service Pack 1 (SP1) on April 23. As is standard with rollups, this release supersedes and replaces the February IE update. The April 23 version eliminates four new script-based vulnerabilities that let an attacker either load and run code on your system, or alternatively, copy files from the local system to a destination of the attacker’s choice. Because the latest crop of flaws are exploited only through HTML code that runs on a Web server, you’d have to visit a malicious Web site to become a victim of the vulnerabilities. Unlike previous IE vulnerabilities, a malicious user can't use email to exploit these flaws, other than by presenting you with links to a Web site that contains code to leverage the script-based flaws. For more information about the nature of the vulnerabilities, see Microsoft Security Bulletin MS03-017 (Flaw in Windows Media Player Skins Downloading could allow Code Execution).

People updating Windows XP systems will be happy to hear that Microsoft corrected the bug that caused pervious rollups to fail if installed in noninteractive mode. You can successfully install this rollup on XP systems in unattended mode by using the Windows Task Scheduler, Microsoft Systems Management Server (SMS), or IBM’s Tivoli software.

This hotfix is specific to the version of IE you're running, so you’ll need to download a hotfix file for each IE version that you support. I've listed the IE Security rollup download links below. So, for example, the line for IE 5.5 SP2 below updates IE 5.5 on Windows 2000, Windows NT, Windows Me, and Windows 98. The one exception is the last download link in the list--you can install the IE 5.01 SP3 hotfix only on systems running Win2K. The download file name is q813489.exe, and the related Microsoft article is "MS03-015: April, 2003, Cumulative Patch for Internet Explorer" (http://support.microsoft.com/?kbid=813489). To complete installation of the rollup, you must reboot the system. To verify that the installation was successful, open the browser after the reboot, click the Help menu, and select About Internet Explorer. You should see Q813489 in the Update Versions list.
- IE 6.0 SP1 Security Update:
http://download.microsoft.com/download/3/8/1/381b989a-35a5-4001-9d2f-fb07342a9823/q813489.exe
- IE 6.0 SP1 XP 64-bit edition Security Update:
http://download.microsoft.com/download/2/7/0/2709d28e-1a57-422a-9632-7f66f207c8ea/q813489.exe
- IE 6.0 Security Update:
http://download.microsoft.com/download/c/c/4/cc4f0ced-8afd-4a94-9acb-0157e248e9ad/q813489.exe
- IE 5.5 SP2 Security Update:
http://download.microsoft.com/download/6/f/3/6f3ed97b-ef80-4939-8e59-441550d31e0b/q813489.exe
- IE 5.01 SP3 (Win2K SP3) Security Update:
http://download.microsoft.com/download/6/4/4/64456dfa-aeac-4651-88f5-12ad38b3e47d/q813489.exe

If the update causes IE to behave incorrectly, you can remove it interactively using the Control Panel Add/Remove Programs applet (select and remove Internet Explorer Q813469 from the alphabetical list). To remove this rollup at a command prompt or in a script, use the IE utility ieuninst.exe. This utility is in the %windir% directory. On XP and Win 9x systems, %windir% defaults to C:windows; on Win2K, %windir% defaults to C:winnt. The command c:%windir%ieuninst /q c:%windir%infQ813489.inf removes this patch in quiet mode (/q), which requires no user interaction.

You need to be aware of one modification in this rollup. Because of a security flaw in earlier versions of the HTML Help control, this release, like its predecessor, permanently disables the vulnerable control. If you're writing or using HTML-based Help code, you can restore the Help functionality only by installing the nonvulnerable Help Control specific to your OS. The security rollup for IE 6.0 SP1 also permanently disables an earlier ActiveX control that's vulnerable to a similar exploit.

Updated HTML Help Control Download Links
XP
http://www.microsoft.com/downloads/details.aspx?familyid=2a086526-ae89-4cb3-a819-e6da160f2e66&displaylang=en

XP 64-Bit Edition
http://www.microsoft.com/downloads/details.aspx?familyid=8b6c98b6-5bb5-4120-8191-f02655ae2c75&displaylang=en

Win2K
http://www.microsoft.com/downloads/details.aspx?familyid=6e1c7f59-aba6-4824-90df-43a5be073cd9&displaylang=en

NT 4.0 (including Terminal Services edition)
http://download.microsoft.com/download/c/c/8/cc8a7962-f72f-4358-a13d-326be29d3623/hhupd.exe

Win98
http://www.microsoft.com/windows98/downloads/contents/wucritical/q811630/default.asp

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like