Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

Summary: As part of this month's Patch Tuesday schedule, Microsoft plans to ship a dozen bulletins with fixes for 22 vulnerabilities in Windows, Microsoft Office and the Internet Explorer browser.

SHARE:

As part of this month's Patch Tuesday schedule, Microsoft plans to ship a dozen bulletins with fixes for 22 vulnerabilities, some serious enough to allow hackers complete access to a vulnerable Windows machine.

According to Microsoft's advance notice, three of the 12 bulletins will carry be rated "critical," the company's highest severity rating.

This month's patch batch will apply to the Microsoft Windows operating system, the Internet Explorer browser, the Microsoft Office productivity suite, Visual Studio, and IIS.

Here are some additional details, via the MSRC blog:follow Ryan Naraine on twitter

As part of this month's update, we'll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer). Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5.

However, it is important to note that the recently disclosed cross-site scripting vulnerability in MHTML will not be fixed this month.

Last week, Microsoft shipped an advisory to warn of the availability of exploit code for a serious vulnerability in all supported editions of Microsoft Windows.

The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

In the absence of a patch for that issue, Microsoft recommends the following:

  • Enable the MHTML protocol lockdown.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

The security advisory contains instructions for applying these temporary workarounds.

Topics: Software, Browser, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

    This sh*t never ends does it ?
    chuckleberry
    • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

      @chuckleberry - I know. Flaws in software. Who ever heard of such a thing.

      Or did you mean the "end of the world' headline on this article? I wonder when that will end, myself.
      Chris The Computin' Goo-roo
      • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

        @Chris The Computin' Goo-roo
        ... actually, I was paraphrasing the announcer on this video from The Onion.
        http://www.youtube.com/watch?v=NuLkWmG3gPk
        chuckleberry
    • Key is : stand away from the target

      Much safer, great view;-)
      Richard Flude
    • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

      @chuckleberry
      Don't forget: "Security" is a billion $ business. Uncertainty, fear and panic the oil for it. ;) ;) ;)
      mousebooster
      • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

        Multi billions!!!
        Surprised there isn't a "Department of Cyberland Security".

        Think of all the (additional) unemployed multitudes if Microsoft's wares were totally and permanently hacker-proof.

        Computer viruses are GOOD for America.
        Regats
      • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

        @pipesmoker

        Usually we call this protection, Insurance, and have to pay for it!
        Eddy-ICUR12
  • Patch Tuesday

    Perhaps, rather than reward hackers with lucrative jobs, if the criminal justice system rewarded them with thirty year jail sentences with no chance for parole we might slow the exploitation of the holes that Microsoft inevitably leaves.
    GerryR1
    • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

      @GerryR1 Right... and the towers would never have been attacked on 9-11.<br><br>yeah.. harsh contrast but deterance isn't enough until someone looses their life over it. Imagine the cracker that gets caught and is publically executed for crashing someone's box. Imagine a room full of malicious spammers (not the idiots p0wn3d and relaying, the real deal "I wanna do this cause it makes me money and I don't care" type of spammer) they get slowly and methodically tortured to death, with a warning that anyone anywhere could get caught and the same done to them ... <br><br>MAYBE then they would worry... <br><br>doubtful still... cause its always someone else that gets caught.. <br><br>Further... whitehats are hackers, and they're supposed to be the good guys, so your "punish the hacker" sentiment is not well defined.
      TG2
    • Yeah...

      @GerryR1... because America is in need of more prisons. We already have the highest incarceration rate of any industrial country, if not the world. According to the <a href="http://www.nytimes.com/2008/04/23/world/americas/23iht-23prison.12253738.html">NY Times</a> <i>"The United States has less than 5 percent of the world's population. But it has almost a quarter of the world's prisoners."</i> Gee, we don't want to give welfare or healthcare to the poor, but we will give you 3 squares a day, healthcare, a bed, and a gym membership, plus round the clock care by guards in prison.

      Prison a great use of American Tax dollars.
      Snooki_smoosh_smoosh
  • Hey Microsoft!

    Don't worry!

    December 21, 2012 is coming... :D
    Compumind
    • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

      @Smart_Neuron - with our luck, Microsoft will turn out to be like a cockroach and survive even the 'pocolipse
      TG2
    • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

      @Smart_Neuron -- Does that mean we'll miss the second part of Peter Jackson's <i>The Hobbit</i>? Darn.
      avoidz
  • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

    I think that there are two sides to the Microsoft having so many problems, and this is just my opinion, and that is 1, there is this war against the founder about making so much money with the software and capitalizing on the software market solely because. 2, the more MS tries to make it hard to hack the more people want to hack it, so there is the game. As to punishment that will be up to the great creator and of course the people. But that is just my opinion.
    danny-mooney@...
  • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

    so of these 3 mentioned issues, 1 doesn't affect window 7+ , the IE vulnerabilty is limited by protected mode, the last (which I believes refers to the Telnet Interpret As Command ) issue could only cause an issue if you ran your ftp server with a non secured account. Yes these were Critical rated flaws but not exactly headline news.
    _JimB_
  • How dare they?!

    Clearly Microsoft needs to be more like Linux and Apple, they haven't invented the OS that needs 0 patches yet.
    Michael Alan Goff
    • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

      @goff256
      Yeah, but the patches are free. It is the best consumer oriented OS in the world, except for Linux, of course. You gotta pay for Apple updates.
      BigJohnLg
      • It seems like I missed a tag

        My sarcasm tag was missing D:

        And this wasn't meant to make a stab at either OS, they're both good in their own ways.

        This was meant to point out that... ya know.. every OS needs patches.
        Michael Alan Goff
      • RE: Patch Tuesday heads-up: Critical flaws in Windows, Internet Explorer

        @BigJohnLg "You gotta pay for Apple updates."

        Wha????? ...Step away from the bong. Back slowly away from the bong.
        I12BPhil
      • I think he's comparing...

        the 10.x releases with Service Packs, a mistake that a lot of users make.
        Michael Alan Goff