Microsoft warns of dangerous IE browser vulnerabilities

Summary:The most severe vulnerabilities could allow remote code execution if a user simply views a specially crafted web page using Internet Explorer.

Microsoft is warning all users of its Internet Explorer web browser to immediately apply the latest security patch as a precaution against malicious hacker attacks.

As part of its Patch Tuesday releases, the company shipped a high-priority IE update (MS12-010) which covers four documented vulnerabilities that could be used in drive-by downloads with minimal user action.

follow Ryan Naraine on twitter
The update is rated "critical" for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows client machines and Microsoft expects to see reliable exploit code published with the next 30 days.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer, Microsoft warned.

[ SEE: Hackers pounce on just-patched Windows Media vulnerability ]

The IE patch addresses the vulnerabilities by modifying the way that Internet Explorer handles content during copy and paste processes, handles objects in memory, and creates and initializes strings.

The company is also urging Windows users to pay special attention to MS12-013, a critical bulletin that fixes a flaw that could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment.

From the bulletin:

A remote code execution vulnerability exists in the way that the msvcrt DLL calculates the size of a buffer in memory, allowing data to be copied into memory that has not been properly allocated. This vulnerability could allow remote code execution if a user opens a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft also noted that any application that uses msvcrt.dll could be affected by this vulnerability, meaning that some third-party applications may also be vulnerable.

[ SEE: Patch Tuesday heads-up: 21 vulnerabilities, including 'critical' IE bulletin ]

This month's batch of patches also fixes remote code execution vulnerabilities in Windows kernel mode drivers, privilege escalation flaws in ancillary function driver, security holes in Microsoft SharePoint, code execution holes in color panel control and dangerous security problems in Indeo codec and Microsoft Visio Viewer 2010.

The company also shipped fixes for vulnerabilities in .Net Framework and Microsoft Silverlight.

[ SEE: Ten little things to secure your online presence ]

Topics: Security


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.