Microsoft Releases Patches for Several Critical Flaws

Microsoft's security campaign continued this week as the company issued a set of patches that address "critical flaws" in Internet Explorer (IE), Commerce Server 2000, and SQL Server. The IE patches, which the company issued through Windows Update and Auto Update late last week, address a previously unannounced VBScript-related vulnerability that affects all newer IE versions and also deal with an IE 6.0 bug first revealed late last year.

In addition to the IE fixes, the company released two other security-related patches: The first patch fixes an XML Core Services flaw in SQL Server 7.0 and SQL Server 2000; the second fixes a Commerce Server 2000 problem that allows Denial of Service (DoS) attacks.

For the first time, Microsoft isn't offering direct links to the IE patch downloads in its advisories, but is instead directing users to Windows Update, the preferred method for obtaining such patches. Users of older Windows versions that don't support Windows Update can still download the patches directly, however. The Commerce Server 2000 and SQL Server patches are also available for direct download. For more information, visit the following Microsoft Web sites.

IE 6.0 vulnerability (XMLHTTP Control Can Allow Access to Local Files)

IE VBScript vulnerability (Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files)

Commerce Server 2000 Q317615 security fix

SQL Server 2000 Security Update for Service Pack 2 (SP2)

SQL Server 7.0 Security Update for SP3