In-Depth

Microsoft Patches Broken Patch

Botched IE update disrupted browser authentication and help

• By Mathew Schwartz
• 02/19/2003

The patch, “February, 2003 Cumulative Patch for Internet Explorer (810847),” affected Internet Explorer 5.01, 5.1, and 6.0, and a range of Web sites requiring authentication, including subscription-based sites and MSN e-mail. Internet Explorer versions 5.0 and earlier may be similarly vulnerable, said Microsoft, but they are no longer supported.

The original security fix addressed two new vulnerabilities in Internet Explorer’s cross-domain security model. In one flaw, an attacker could craft code and put it on a Web site. When users encountered the code, it could deposit “a malicious executable onto the system and then run it,” according to Microsoft. In the other flaw, attackers could use the showHelp function—a method in Internet Explorer for displaying HTML help files—to read files on a user’s PC or read the user’s personal information.

Again, the user would have to click a malicious link at another Web site for this to work, or else the attacker would need to know exact pathnames of information to be purloined. On the other hand, the locations of many Windows file types are stored in identical directories across millions of PCs. This vulnerability could also be used to load malicious executables on a user’s computer.

The update fixes the showHelp attack simply by disabling showHelp. Another patch, “Critical Update 811630,” is needed to restore showHelp functionality.

The updated patch can be found at: http://www.microsoft.com/technet/security/bulletin/MS03-004.asp