For Internet Explorer users, the wait is over.
Microsoft used its monthly security update Tuesday to patch a widely publicized "critical" security hole in its Web browser, which has been targeted by publicly available exploit code in recent weeks. The software giant also patched several other outstanding IE issues, and an "important" flaw in the Windows kernel.
In recent weeks, security experts had speculated that Microsoft might release an early patch for Internet Explorer, after the software giant acknowledged reports that exploit code was circulating for certain flaws. But an out-of-cycle release never came to pass.
Cupertino, Calif.-based antivirus firm Symantec Corp. raised its ThreatCon to Level 2 in response to Microsoft's patch release, notifying customers of its DeepSight Threat Management System by e-mail Tuesday afternoon.
"This appears to be the long-awaited IE patch I had hoped would have come out a couple of weeks ago," Internet Storm Center (ISC) founder and CTO Johannes Ullrich said on the center's Web site Tuesday. "As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier than Windows 2003," Ullrich wrote, "the ISC is recommending that you patch this as soon as possible."
This month's bulletins summarized
The first bulletin is a "critical" cumulative fix for Internet Explorer, addressing four different security holes:
- A flaw in how the browser displays file download dialog boxes and accepts user input during interaction with a Web page. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
- An information disclosure flaw in how the browser behaves in certain situations where an HTTPS proxy server requires clients to use Basic authentication. "This vulnerability could allow an attacker to read Web addresses in clear text sent from Internet Explorer to a proxy server despite the connection being an HTTPS connection," Microsoft said.
- A flaw in how the browser instantiates COM objects that are not intended to be instantiated in Internet Explorer. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
- A flaw in how the browser handles mismatched Document Object Model objects. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
The second bulletin fixes an "important" flaw in how asynchronous procedure calls are processed within the Windows kernel.
According to Aliso Viejo, Calif.-based eEye Digital Security Inc., which reported the flaw to Microsoft, the vulnerability "could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel)." For example, the firm added, "a malicious user, network worm, or e-mail virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level."
The firm said the vulnerability exists in the thread termination routine within NTOSKRNL.EXE. "Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly," eEye said.