MS to Patch Critical IE Zero-Day Flaw

Just two weeks after the release of exploit code
for a critical (remotely exploitable) security hole in its Internet
Explorer browser, Microsoft says a fix will be included in this month’s
batch of Patch Tuesday updates.

Just two weeks after the release of exploit code
for a critical (remotely exploitable) security hole in its Internet
Explorer browser, Microsoft says a fix will be included in this month’s
batch of Patch Tuesday updates.

Microsoft has already issued an advisory
to confirm the severity of the issue, which affects users of Internet
Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008.

In all, Microsoft plans to release six security bulletins next
Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft
Office and the Windows operating system.

Three of the six bulletins will be rated “critical,” Microsoft’s
highest severity rating.  A critical vulnerability could result in
remote code execution if a user opens a rigged file or simply surfs to
malicious Web site.

The IE and Windows bulletins will touch all supported versions of those products, Microsoft said.  This includes Internet Explorer 8 on Windows 7.

On the Microsoft Office side, the bulletins will address security holes in Project, Word and Works 8.5.

 

Microsoft urged customers to pay special attention to the IE update
because of the availability of public exploit code and the fact that
attackers could launch malware attacks to take complete control of a
Windows machine running a vulnerable browser

Here’s the gist of the known problem:

A
vulnerability has been identified in Microsoft Internet Explorer, which
could be exploited by attackers to compromise a vulnerable system. This
issue is caused by a dangling pointer in the Microsoft HTML Viewer
(mshtml.dll) when retrieving certain CSS/STYLE objects via the
“getElementsByTagName()” method, which could allow attackers to crash
an affected browser or execute arbitrary code by tricking a user into
visiting a malicious web page.

See more details via Microsoft’s Advance Notice Service (ANS).

Suggested articles