Microsoft issued fixes for three major security flaws in Microsoft Internet Explorer (IE) yesterday. The fixes include a relatively well-known "phishing" (URL-spoofing) vulnerability that appears in all standards-compliant browsers and could let attackers silently redirect users to malicious Web sites. Microsoft made the updates available outside of its usual monthly schedule for critical security fixes because the company felt they were important enough to release immediately. Since the company moved to the new schedule, Microsoft has said that it would occasionally do so when necessary.

"Due to the nature of this vulnerability and feedback from customers, we felt like there was enough of a risk to release the fixes early," Mike Reavey, a security program manager for Microsoft's Security Response Center, noted. "We did this in response to the particular nature of the URL-spoofing issue. And also there was a lot of customer feedback about this. While we like to maintain a predictable schedule, with this particular issue we released it as soon as it was ready."

Although the phishing vulnerability and one of the other vulnerabilities fixed this week are rated important, the remaining security fix is rated critical. The nonphishing patches involve flaws that could let attackers take control of Windows systems. All three fixes apply to IE 5.01 and later running on Windows Server 2003; Windows XP; Windows 2000; Windows NT Server 4.0, Terminal Server Edition (WTS); and NT 4.0. Microsoft has issued one critical patch that addresses all three vulnerabilities. Most Windows users can get the patch through Windows Update or automatically through Automatic Updates. For more information, visit the Microsoft Web site.

http://www.microsoft.com/security/security_bulletins/20040202_windows.asp