Microsoft has issued a patch to fix an Internet Explorer vulnerability that was exploited broadly by hackers using compromised ad banners.
The new patch joined re-releases of three October fixes for Windows XP Service Pack 1 for users who didn’t get automatic updates through Windows Update and Automatic Updates services, Microsoft said. The new patch’s release also accompanied an out-of-cycle Microsoft security bulletin.
The IE vulnerability allowing the ad banner exploitation was discovered first in late October and is found in iFrame tags of IE. The flaw is a buffer overflow flaw letting a hacker take full control of a compromised system, directing users to Web sites through the compromised ad banners where the sites could send malicious code to the users’ computers, Microsoft said.
A month after the flaw was discovered, the SANS Institute Internet Storm Center confirmed hackers were using rogue banner ads to lure surfers to sites putting code of a MyDoom variant onto their computers.
"The Storm Center received a report of a high-profile U.K. Web site that contains a pointer on their main page to another URL hosting the Bofra/IFRAME exploit," ISC director Marcus Sachs said in a widely-disseminated message in late November. "We have confirmed that if this site is visited using Internet Explorer, the exploit will be downloaded."
That worm was said to use a package of attack methods from spam to virus infections to Trojan horse programs and was discovered a mere five days after the iFrame vulnerability found in IE was discovered and confirmed.
Microsoft has been under consistent criticism in recent months for lagging in finding and plugging security vulnerabilities in its most widely-used software, criticism which accelerated somewhat when the new, open-source Firefox Internet browsers was released in its first full version and praised for its makers, Mozilla Foundation, pouncing promptly on any of the very few potential security problems it might have.
