Microsoft finally produces Explorer iFrame patch

Microsoft has finally produced a patch for the security hole in Internet Explorer that has become widely exploited in the past month.

The hole in iFrame Explorer tags was released publicly in October before Microsoft was informed, putting the software giant on the back foot immediately. Since then, several successful attempts have been made by hackers to exploit the hole. Most dramatically, an advertising company was hacked last week and banner ads on a large number of European websites inadvertently infected visitors.

The patch has been released outside of Microsoft's usual monthly security cycle - demonstrating its urgency. The vulnerability, MS04-040, allows attackers to take complete control of a compromised system and can be exploited by getting users to visit websites where malicious code is downloaded.

"We are aware of some proof-of-concept code and public attacks" that take advantage of the flaw, said Stephen Toulouse, security program manager at Microsoft's security response center. It is urging users to apply the latest patch as soon as possible, he added. The flaw doesn't affect users who have already installed XP SP2, however.

Meanwhile, Microsoft reissued three of its fixes from October for users of SP1 who may not have been offered the updates earlier. The problem involves SP1 users who may have downloaded the SP2 patch but have not installed it on their computers yet.

Microsoft's Windows Update and Automatic Updates service wouldn't have offered the October fixes automatically to such users, Toulouse said.