Microsoft issues critical fix for IE

By Bill Brenner, News Writer 13 Dec 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For Internet Explorer users, the wait is over.

Microsoft used its monthly security update Tuesday to patch a widely publicized "critical" security hole in its Web browser, which has been targeted by publicly available exploit code in recent weeks. The software giant also patched several other outstanding IE issues, and an "important" flaw in the Windows kernel.

In recent weeks, security experts had speculated that Microsoft might release an early patch for Internet Explorer, after the software giant acknowledged reports that exploit code was circulating for certain flaws. But an out-of-cycle release never came to pass.

For more information SearchSecurity.com is your source for the latest news on Microsoft security. Read more of our recent coverage below. Two Windows patches coming, IE fix uncertain Out-of-cycle IE patch may be imminent Microsoft pads security partner competency

Attackers who successfully exploit the flaws in IE and Windows could then launch malicious code and take complete control of affected machines to "install programs; view, change, or delete data or create new accounts with full user rights," Microsoft said.

Cupertino, Calif.-based antivirus firm Symantec Corp. raised its ThreatCon to Level 2 in response to Microsoft's patch release, notifying customers of its DeepSight Threat Management System by e-mail Tuesday afternoon.

"This appears to be the long-awaited IE patch I had hoped would have come out a couple of weeks ago," Internet Storm Center (ISC) founder and CTO Johannes Ullrich said on the center's Web site Tuesday. "As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier than Windows 2003," Ullrich wrote, "the ISC is recommending that you patch this as soon as possible."

This month's bulletins summarized
The first bulletin is a "critical" cumulative fix for Internet Explorer, addressing four different security holes:

• A flaw in how the browser displays file download dialog boxes and accepts user input during interaction with a Web page. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
• An information disclosure flaw in how the browser behaves in certain situations where an HTTPS proxy server requires clients to use Basic authentication. "This vulnerability could allow an attacker to read Web addresses in clear text sent from Internet Explorer to a proxy server despite the connection being an HTTPS connection," Microsoft said.
• A flaw in how the browser instantiates COM objects that are not intended to be instantiated in Internet Explorer. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
• A flaw in how the browser handles mismatched Document Object Model objects. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.

The second bulletin fixes an "important" flaw in how asynchronous procedure calls are processed within the Windows kernel.

According to Aliso Viejo, Calif.-based eEye Digital Security Inc., which reported the flaw to Microsoft, the vulnerability "could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel)." For example, the firm added, "a malicious user, network worm, or e-mail virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level."

The firm said the vulnerability exists in the thread termination routine within NTOSKRNL.EXE. "Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly," eEye said.

Tags: Security Patch Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary