/>
X

Patch Tuesday heads-up: MS to fix 'critical' IE, Office security holes

Microsoft plans to release six security bulletins next Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft Office and the Windows operating system.
ryan-naraine.jpg
Written by Ryan Naraine, Contributor on

Just two weeks after the release of exploit code for a critical (remotely exploitable) security hole in its Internet Explorer browser, Microsoft says a fix will be included in this month's batch of Patch Tuesday updates.

Microsoft has already issued an advisory to confirm the severity of the issue, which affects users of Internet Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

In all, Microsoft plans to release six security bulletins next Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft Office and the Windows operating system.

Three of the six bulletins will be rated "critical," Microsoft's highest severity rating.  A critical vulnerability could result in remote code execution if a user opens a rigged file or simply surfs to malicious Web site.

The IE and Windows bulletins will touch all supported versions of those products, Microsoft said.  This includes Internet Explorer 8 on Windows 7.

On the Microsoft Office side, the bulletins will address security holes in Project, Word and Works 8.5.

[ SEE: Exploit published for critical IE zero-day flaw ]

Microsoft urged customers to pay special attention to the IE update because of the availability of public exploit code and the fact that attackers could launch malware attacks to take complete control of a Windows machine running a vulnerable browser

Here's the gist of the known problem:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

See more details via Microsoft's Advance Notice Service (ANS).

Related

He flew American Airlines, she flew United. For both, the unthinkable happened
screen-shot-2022-06-30-at-10-14-36-am.png

He flew American Airlines, she flew United. For both, the unthinkable happened

Business
Southwest Airlines has cancelled 20,000 flights. Now for the really bad news
screen-shot-2021-07-07-at-4-01-12-pm.png

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

Business
McDonald's and Chick-fil-A both have a big problem. Only one has a solution
screen-shot-2022-06-28-at-6-24-27-pm.png

McDonald's and Chick-fil-A both have a big problem. Only one has a solution

Business