Home > Security News > Microsoft issues critical fix for IE
Security News:
EMAIL THIS LICENSING & REPRINTS

Microsoft issues critical fix for IE

By Bill Brenner, News Writer
13 Dec 2005 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

For Internet Explorer users, the wait is over.

Microsoft used its monthly security update Tuesday to patch a widely publicized "critical" security hole in its Web browser, which has been targeted by publicly available exploit code in recent weeks. The software giant also patched several other outstanding IE issues, and an "important" flaw in the Windows kernel.

In recent weeks, security experts had speculated that Microsoft might release an early patch for Internet Explorer, after the software giant acknowledged reports that exploit code was circulating for certain flaws. But an out-of-cycle release never came to pass.

For more information

SearchSecurity.com is your source for the latest news on Microsoft security. Read more of our recent coverage below.

Two Windows patches coming, IE fix uncertain

Out-of-cycle IE patch may be imminent

Microsoft pads security partner competency

Attackers who successfully exploit the flaws in IE and Windows could then launch malicious code and take complete control of affected machines to "install programs; view, change, or delete data or create new accounts with full user rights," Microsoft said.

Cupertino, Calif.-based antivirus firm Symantec Corp. raised its ThreatCon to Level 2 in response to Microsoft's patch release, notifying customers of its DeepSight Threat Management System by e-mail Tuesday afternoon.

"This appears to be the long-awaited IE patch I had hoped would have come out a couple of weeks ago," Internet Storm Center (ISC) founder and CTO Johannes Ullrich said on the center's Web site Tuesday. "As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier than Windows 2003," Ullrich wrote, "the ISC is recommending that you patch this as soon as possible."

This month's bulletins summarized
The first bulletin is a "critical" cumulative fix for Internet Explorer, addressing four different security holes:

  • A flaw in how the browser displays file download dialog boxes and accepts user input during interaction with a Web page. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
  • An information disclosure flaw in how the browser behaves in certain situations where an HTTPS proxy server requires clients to use Basic authentication. "This vulnerability could allow an attacker to read Web addresses in clear text sent from Internet Explorer to a proxy server despite the connection being an HTTPS connection," Microsoft said.
  • A flaw in how the browser instantiates COM objects that are not intended to be instantiated in Internet Explorer. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.
  • A flaw in how the browser handles mismatched Document Object Model objects. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited [the site]," Microsoft said.

The second bulletin fixes an "important" flaw in how asynchronous procedure calls are processed within the Windows kernel.

According to Aliso Viejo, Calif.-based eEye Digital Security Inc., which reported the flaw to Microsoft, the vulnerability "could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel)." For example, the firm added, "a malicious user, network worm, or e-mail virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level."

The firm said the vulnerability exists in the thread termination routine within NTOSKRNL.EXE. "Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly," eEye said.

Tags: Internet Explorer SecurityPatch ManagementApplication Attacks (Buffer Overflows, Cross-Site Scripting)Windows XP and Server SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts