Microsoft issues critical fix for IE

By Bill Brenner, News Writer 13 Dec 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For Internet Explorer users, the wait is over.

Microsoft used its monthly security update Tuesday to patch a widely publicized "critical" security hole in its Web browser, which has been targeted by publicly available exploit code in recent weeks. The software giant also patched several other outstanding IE issues, and an "important" flaw in the Windows kernel.

In recent weeks, security experts had speculated that Microsoft might release an early patch for Internet Explorer, after the software giant acknowledged reports that exploit code was circulating for certain flaws. But an out-of-cycle release never came to pass.

For more information SearchSecurity.com is your source for the latest news on Microsoft security. Read more of our recent coverage below. Two Windows patches coming, IE fix uncertain Out-of-cycle IE patch may be imminent Microsoft pads security partner competency

Attackers who successfully exploit the flaws in IE and Windows could then launch malicious code and take complete control of affected machines to "install programs; view, change, or delete data or create new accounts with full user rights," Microsoft said.

Cupertino, Calif.-based antivirus firm Symantec Corp. raised its ThreatCon to Level 2 in response to Microsoft's patch release, notifying customers of its DeepSight Threat Management System by e-mail Tuesday afternoon.

"This appears to be the long-awaited IE patch I had hoped would have come out a couple of weeks ago," Internet Storm Center (ISC) founder and CTO Johannes Ullrich said on the center's Web site Tuesday. "As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier than Windows 2003," Ullrich wrote, "the ISC is recommending that you patch this as soon as possible."

This month's bulletins summarized
The first bulletin is a "critical" cumulative fix for Internet Explorer, addressing four different security holes:

• A flaw in how the browser displays file download dialog boxes and accepts user input during interaction with a Web page. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
• An information disclosure flaw in how the browser behaves in certain situations where an HTTPS proxy server requires clients to use Basic authentication. "This vulnerability could allow an attacker to read Web addresses in clear text sent from Internet Explorer to a proxy server despite the connection being an HTTPS connection," Microsoft said.
• A flaw in how the browser instantiates COM objects that are not intended to be instantiated in Internet Explorer. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
• A flaw in how the browser handles mismatched Document Object Model objects. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.

The second bulletin fixes an "important" flaw in how asynchronous procedure calls are processed within the Windows kernel.

According to Aliso Viejo, Calif.-based eEye Digital Security Inc., which reported the flaw to Microsoft, the vulnerability "could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel)." For example, the firm added, "a malicious user, network worm, or e-mail virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level."

The firm said the vulnerability exists in the thread termination routine within NTOSKRNL.EXE. "Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly," eEye said.

Tags: Security Patch Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe patches ColdFusion vulnerability blocking website attack Microsoft to address DirectShow, ActiveX zero-day flaws Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Researchers to demonstrate new EV SSL man-in-the-middle hacks Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary