December 2004
When Microsoft released their November 2004 Security Bulletins they did not acknowledge or address a vulnerability which had been announced the week prior. Exploiting the iFrame flaw in Internet Explorer could potentially allow an attacker to gain complete control of a victim’s computer.
As of early November the flaw was already being exploited on the Internet and a new variant of the Mydoom worm, later renamed the Bofra worm by some antivirus vendors, took advantage of the vulnerability as well.
Microsoft broke their normal patch release schedule to put out a critical update for Internet Explorer. On the regularly scheduled monthly Security Bulletin release date, Tuesday, December 14, Microsoft released five more Security Bulletins.
- Microsoft Security Bulletin MS04-040
Cumulative Security Update for Internet Explorer
Microsoft Criticality: Critical - Microsoft Security Bulletin MS04-041
Vulnerability in WordPad Could Allow Code Execution
Microsoft Criticality: Important - Microsoft Security Bulletin MS04-042
Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service
Microsoft Criticality: Important - Microsoft Security Bulletin MS04-043
Vulnerability in HyperTerminal Could Allow Code Execution
Microsoft Criticality: Important - Microsoft Security Bulletin MS04-044
Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege
Microsoft Criticality: Important - Microsoft Security Bulletin MS04-045
Vulnerability in WINS Could Allow Remote Code Execution
Microsoft Criticality: Important