Security Update for HTML Help Control Helps Blunt IE Attack Vectors


Microsoft released several security updates today – MS05-001, MS05-002 and MS05-003.

  • MS05-001 has a fix for a remote code execution issue affecting the HTML Help Control. 
  • MS05-002 contains a fix for the “X-Focus” issues. 
  • MS05-003 has a fix for a remote code execution issue with Indexing Services

The first two are rated “critical” and the third is “important”.

MS05-001 is the most critical to reducing IE-based attack vectors.  The HTML Help Control team updated the version of their control that fixes a critical vulnerability in that component.  We are glad they were able to fix this vulnerability so quickly.  Unfortunately, the XPSP2 security mitigations do not protect against the flaw in this control, so I encourage everybody to download the latest security updates from Windows Update and if possible turn on automatic updates so you get these updates without having to navigate to Windows Update.  

Microsoft also released technology on Windows Update today that helps remove malicious software from your system if it has been infected. The Malicious Software Removal Tool is mainly targeted at consumers, but it can also be leveraged in the enterprise space via SMS.  For more details, see http://www.microsoft.com/malwareremove

Thanks
Scott

Comments (8)

  1. Anonymous says:

    I was wondering, is this bug http://www.jmcardle.com/?postid=77 fixed as well?

  2. Anonymous says:

    Based on my testing, yes.

  3. Anonymous says:

    A suggestion (OK, probably not one for the IE blog). Why not incorporate the malware removal information, or the Giant anti-spyware tool (if downloaded) into the Security Center?

  4. Anonymous says:

    Looks like only one of these affects Windows XP SP2. Glad to see all that work you guys put in is paying off.

  5. Anonymous says:

    We have seen a huge number of HTML Help exploits in the past year. Perhaps Microsoft should re-examine the value of building into the OS a tool for executing HTML and scripts in the context of the local user?

  6. Anonymous says:

    So, trust worthy computing? Do you really think, that I can trust MS after releasing MS05-001 patch? I was on secunia.com and tried the vulnerability of my IE and it was vulnerable.

    From now I can’t trust MS: IE is strongly binded with OS and it’s full of holes, like emental.

    And waiting for specific date (2nd tuesday of month) to releas highly critical update (MS05-001) doesn’t sound like trust worthy computing. The problem was known and MS surely had patch. But it doesn’t released it promptly.

    I like Windows XP SP2 :-) but I hate IE & OE.

  7. Anonymous says:

    http://support.microsoft.com/?kbid=890830:

    "New versions become available on the second Tuesday of every month. Microsoft may also release an updated version of the tool to supplement these releases if an emergency occurs."