Microsoft issues critical fix for IE

In addition to the long-awaited browser fix, the software giant also addressed an "important" Windows kernel flaw involving how certain procedure calls are processed.

This Content Component encountered an error

For Internet Explorer users, the wait is over.

Microsoft used its monthly security update Tuesday to patch a widely publicized "critical" security hole in its Web browser, which has been targeted by publicly available exploit code in recent weeks. The software giant also patched several other outstanding IE issues, and an "important" flaw in the Windows kernel.

In recent weeks, security experts had speculated that Microsoft might release an early patch for Internet Explorer, after the software giant acknowledged reports that exploit code was circulating for certain flaws. But an out-of-cycle release never came to pass.

For more information

SearchSecurity.com is your source for the latest news on Microsoft security. Read more of our recent coverage below.

Two Windows patches coming, IE fix uncertain

Out-of-cycle IE patch may be imminent

Microsoft pads security partner competency

Attackers who successfully exploit the flaws in IE and Windows could then launch malicious code and take complete control of affected machines to "install programs; view, change, or delete data or create new accounts with full user rights," Microsoft said.

Cupertino, Calif.-based antivirus firm Symantec Corp. raised its ThreatCon to Level 2 in response to Microsoft's patch release, notifying customers of its DeepSight Threat Management System by e-mail Tuesday afternoon.

"This appears to be the long-awaited IE patch I had hoped would have come out a couple of weeks ago," Internet Storm Center (ISC) founder and CTO Johannes Ullrich said on the center's Web site Tuesday. "As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier than Windows 2003," Ullrich wrote, "the ISC is recommending that you patch this as soon as possible."

This month's bulletins summarized
The first bulletin is a "critical" cumulative fix for Internet Explorer, addressing four different security holes:

  • A flaw in how the browser displays file download dialog boxes and accepts user input during interaction with a Web page. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
  • An information disclosure flaw in how the browser behaves in certain situations where an HTTPS proxy server requires clients to use Basic authentication. "This vulnerability could allow an attacker to read Web addresses in clear text sent from Internet Explorer to a proxy server despite the connection being an HTTPS connection," Microsoft said.
  • A flaw in how the browser instantiates COM objects that are not intended to be instantiated in Internet Explorer. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
  • A flaw in how the browser handles mismatched Document Object Model objects. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.

The second bulletin fixes an "important" flaw in how asynchronous procedure calls are processed within the Windows kernel.

According to Aliso Viejo, Calif.-based eEye Digital Security Inc., which reported the flaw to Microsoft, the vulnerability "could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel)." For example, the firm added, "a malicious user, network worm, or e-mail virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level."

The firm said the vulnerability exists in the thread termination routine within NTOSKRNL.EXE. "Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly," eEye said.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close