Microsoft has shipped a major Internet Explorer update to cover at least three code execution vulnerabilities in its flagship Web browser.
The cumulative IE update (MS07-045) headlines a bumper batch of nine bulletins that contains fixes for 14 documented software vulnerabilities.
The update affects IE 5.0 through IE 7.0 on Windows Vista but, because of defense-in-depth mitigations, the severity rating has been reduced to "important" on the newer versions.
Microsoft explains the three bugs:
In all, there are six critical bulletins in the August batch. These affect Microsoft XML Core Services (Windows 2000 through Windows Vista); Object Linking and Embedding (OLE) automation (Vista is not affected); Microsoft Excel (Office 2000, Office 2003, Office XP and Office 2004 for Mac); Graphics Rendering Engine(Windows 2000 through Windows Server 2003); and Vector Markup Language (IE 5.0 through IE 7.0 on Windows Vista).
The other three bulletins cover:
MS07-047 -- Two code execution holes in the way Windows Media Player parses and decompresses skins. This is rated "important."
MS07-049 -- Patches an elevation of privilege vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating systems. This update carries an "important" rating.
MS07-048 -- This applies to at least three serious flaws in Windows Gadgets. This "important" update is specific to Windows Vista and affects the Feed Headlines Gadget, the Weather Gadget and the Contacts Gadget.
* More to come as I wade through the nine bulletins.