Microsoft warns of dangerous IE browser vulnerabilities

Microsoft warns of dangerous IE browser vulnerabilities

Summary: The most severe vulnerabilities could allow remote code execution if a user simply views a specially crafted web page using Internet Explorer.

SHARE:
TOPICS: Security
118

Microsoft is warning all users of its Internet Explorer web browser to immediately apply the latest security patch as a precaution against malicious hacker attacks.

As part of its Patch Tuesday releases, the company shipped a high-priority IE update (MS12-010) which covers four documented vulnerabilities that could be used in drive-by downloads with minimal user action. follow Ryan Naraine on twitter The update is rated "critical" for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows client machines and Microsoft expects to see reliable exploit code published with the next 30 days.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer, Microsoft warned.

[ SEE: Hackers pounce on just-patched Windows Media vulnerability ]

The IE patch addresses the vulnerabilities by modifying the way that Internet Explorer handles content during copy and paste processes, handles objects in memory, and creates and initializes strings.

The company is also urging Windows users to pay special attention to MS12-013, a critical bulletin that fixes a flaw that could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment.

From the bulletin:

A remote code execution vulnerability exists in the way that the msvcrt DLL calculates the size of a buffer in memory, allowing data to be copied into memory that has not been properly allocated. This vulnerability could allow remote code execution if a user opens a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft also noted that any application that uses msvcrt.dll could be affected by this vulnerability, meaning that some third-party applications may also be vulnerable.

[ SEE: Patch Tuesday heads-up: 21 vulnerabilities, including 'critical' IE bulletin ]

This month's batch of patches also fixes remote code execution vulnerabilities in Windows kernel mode drivers, privilege escalation flaws in ancillary function driver, security holes in Microsoft SharePoint, code execution holes in color panel control and dangerous security problems in Indeo codec and Microsoft Visio Viewer 2010.

The company also shipped fixes for vulnerabilities in .Net Framework and Microsoft Silverlight.

[ SEE: Ten little things to secure your online presence ]

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

118 comments
Log in or register to join the discussion
  • Theme: Remote Code Execution Repairs

    Its not just a job, its an adventure!

    Kudos to Jan Schejbal, Stephen Fewer, and Jason Hullinger for reporting these vulnerabilities to help protect users.
    daikon
    • RE: Microsoft warns of dangerous IE browser vulnerabilities

      @daikon
      And thanks Linux.

      And thanks Apple.

      They are all the same. They all have vulnerabilities. If this upsets you so much, maybe you should consider a job that doesn't use computers in any way?
      toddbottom
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        @toddbottom
        Go ahead explain They are all the same.
        daikon
      • He did.

        @daikon: Right here:

        "They all have vulnerabilities."
        ye
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        @ye
        Must be a typo then. Two separate sentences.
        daikon
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        @toddbottom All operating systems, and all software written has vulnerabilities that can be exploited, but Internet Explorer is just one piece of software that just needs to die. <br><br>I like Microsoft, I appreciate and use Windows, but IE is a disaster, and has been the one thing standing in the way of progress. It started it's life not adhering to the web standards, not adopting W3C outlines, and making the web a fragmented experience. To add to that, it has been the hacker's focal point for the last few generations. Secure or not, it is the browser of choice for hackers, because it has the market share and is the default install (attractive to non-technical users).<br><br>The death of IE has been LONG overdue.
        thoiness
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        @toddbottom No, you've missed the point -- Microsoft is having to urge all users to apply the patch. That's not necessary with Google's Chrome browser. It's not about how many vulnerabilities there are (and that argument will flame for all eternity) -- it's about the vast numbers of users who won't get around to installing the patch and need to be alerted to the urgency to do so.
        LyonJE
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        [i]They all have vulnerabilities.[/i]

        Vulnerabilities are not exploits. Lean to know the difference, freak.
        ScorpioBlue
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        "Vulnerabilities are not exploits. Lean to know the difference, freak."

        Exactly.

        This is a vulnerability, not an exploit.
        Michael Alan Goff
      • Goff, are you my widdle parrott?

        Do you nod your head in agreement all the time like my slave?

        I won't pay you for this, ya know...

        lol... :D
        ScorpioBlue
      • So we all agree

        this article is pointless.
        Michael Alan Goff
      • No, it got your attention

        So how can it be pointless.
        ScorpioBlue
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        @toddbottom - I fail to see anything in his post to conclude he is upset. While you are correct that all OS and software have vulnerabilities, I cant see why you would accuse someone of being upset when they clearly weren't.
        smashandgrab
    • RE: Microsoft warns of dangerous IE browser vulnerabilities

      @daikon
      mhmartin
    • RE: Microsoft warns of dangerous IE browser vulnerabilities

      @daikon You are just jealous that Micr0$uck$ LoseDoze Operating System (O/S) is the most secure O/S ever! This is because of the INNOVATION and INTELLECTUAL property that makes up the LoseDoze products. Stop bashing the most honest company in the world that makes the best products on the planet.
      HackerJ
  • Operative word: With administrator privileges

    Since Windows Vista users don't run apps with administrator privileges, not even if they *are* administrators. Indeed, thanks to IE protected mode all users run IE7 and later with *low integrity* which prevents exploits from changing the system. Unless the user switched off UAC.
    honeymonster
    • One thing I dislike about the security alerts / coverage is it always...

      @honeymonster: [i]Indeed, thanks to IE protected mode all users run IE7 and later with *low integrity* which prevents exploits from changing the system.[/i]

      ...ignores Protected Mode. They don't address how Protected Mode could mitigate a particular vulnerability.
      ye
      • Protected mode

        @ye I'm a Linux guy, so I don't understand protected mode. Is it like Linux's App Armor? Are we saying that Windows is normally unprotected? Is this for IE only or for the OS?
        davidr69
      • Protected Mode is a form of MAC.

        @davidr69: Do a Google search on "windows mandatory integrity levels". I attempted to provide a link but this POS talkback "lost" the message.
        ye
      • RE: Microsoft warns of dangerous IE browser vulnerabilities

        @ye Install the [url=https://chrome.google.com/webstore/detail/loljledaigphbcpfhfmgopdkppkifgno]"Lazarus"[/url] extension :|
        MrElectrifyer