Microsoft Catches Flaw Left In IE Update

The software giant has issued security bulletin MS04-025, which it said fills in security gaps left exposed after a previous software update, bulletin MS04-004.

If left unpatched, the weakness in IE poses a security threat rated "severe" by both Microsoft and security vendors such as Symantec, Cupertino, Calif.

Without this update, "if a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs such as spyware and backdoors, viewing, changing or deleting data, and creating new accounts with full privileges," according to a Symantec security alert.

Microsoft missed the vulnerability in bulletin MS04-004. Subsequent to the release of this security bulletin (MS04-025), Microsoft was made aware that the update provided for Windows XP customers running the new version of Windows Update, Windows Update Version 5, did not contain the final release code for the vulnerabilities addressed in the security bulletin, according to the Redmond, Wash.-based company.

Microsoft has corrected the update and is re-releasing this bulletin to advise of the availability of a revised update available to Windows Update Version 5 customers. Customers who are utilizing Windows Update Version 4, the vast majority of customers, are not affected by this revision," Microsoft officials said in bulletin MS04-025.

Users running IE atop Windows NT 2000 and Server 2003 operating systems are affected by the latest update. Users should explore the details of the Update to remedy their individual configurations.