This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:


A buffer overrun vulnerability that occurs because Internet Explorer does not correctly check the parameters of a PNG graphics file when it is opened. To the best of Microsoft’s knowledge, this vulnerability could only be used to cause Internet Explorer to fail. The effect of exploiting the vulnerability against Internet Explorer would be relatively minor – the user would only need to restart the browser to restore normal operation. However, a number of other Microsoft products – notably, most Microsoft Office products and Microsoft Index Server – rely on Internet Explorer to render PNG files, and exploiting the vulnerability against such an application would cause them to fail as well. Because of this, Microsoft recommends that customers install this patch regardless of whether they are using Internet Explorer as their primary web browser.
An information disclosure vulnerability related to the way that Internet Explorer handles encoded characters in a URL. This vulnerability could allow an attacker to craft a URL containing some encoded characters that would redirect a user to a second web site. If a user followed the URL, the attacker would be able to piggy-back the user’s access to the second website. This could allow the attacker to access any information the user shared with the second web site.
A vulnerability that occurs because under certain circumstances Internet Explorer does not correctly check the component that the OBJECT tag calls. This could allow an attacker to obtain the name of the Temporary Internet Files folder on the user’s local machine. The vulnerability would not allow an attacker to read or modify any files on the user’s local system, since the Temporary Internet Files folder resides in the Internet security zone. Knowledge of the name of the Temporary Internet Files folder could allow an attacker to identify the username of the logged-on user and read other information in the Temporary Internet Files folder such as cookies.
Three vulnerabilities that although having differing root causes, have the same net effects. All three vulnerabilities result because of incomplete security checks being carried out when using particular programming techniques in web pages, and would have the effect of allowing one website to access information in another domain, including the user’s local system. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be viewed in a browser window. In addition, this could also enable an attacker to invoke an executable that was already present on the local system.

This patch supercedes other recent patches. Q328970

Thanks for the heads up John ... getting it from Windows Update already...

I also noticed that there was an update for Windows 2000 (and XP etc)

Microsoft Knowledge Base Article - 329115, MS02-050: Certificate Validation Flaw Might Permit Identity Spoofing.