MS to Patch Critical IE Zero-Day Flaw

Just two weeks after the release of exploit code for a critical (remotely exploitable) security hole in its Internet Explorer browser, Microsoft says a fix will be included in this month's batch of Patch Tuesday updates.

Microsoft has already issued an advisory to confirm the severity of the issue, which affects users of Internet Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

In all, Microsoft plans to release six security bulletins next Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft Office and the Windows operating system.

Three of the six bulletins will be rated "critical," Microsoft's highest severity rating.  A critical vulnerability could result in remote code execution if a user opens a rigged file or simply surfs to malicious Web site.

The IE and Windows bulletins will touch all supported versions of those products, Microsoft said.  This includes Internet Explorer 8 on Windows 7.

On the Microsoft Office side, the bulletins will address security holes in Project, Word and Works 8.5.

Microsoft urged customers to pay special attention to the IE update because of the availability of public exploit code and the fact that attackers could launch malware attacks to take complete control of a Windows machine running a vulnerable browser

Here's the gist of the known problem:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

See more details via Microsoft's Advance Notice Service (ANS).

Commenting on this Article is closed.