Four security holes have been detected and patched in the world's most
popular Web browser, Microsoft said on Wednesday,
warning that the vulnerabilities carry a 'critical' rating.
The security vulnerabilities in Microsoft's flagship Internet Explorer
(IE) browser could allow an attacker to execute arbitrary code on a user's
system if the user either browsed to a hostile web site or opened a
specially crafted HTML email message, the company warned.
On a day when it also warned of a 'critical' hole in its Outlook Express
e-mail client, the company issued a cumulative patch was issued for Internet
Explorer versions 5.01 through 6.0 and includes the functionality of all
previously released patches for the browser. Microsoft patches holes in IE Outlook News Security ZDNet Asia::
Microsoft patches holes in IE Outlook. By Robert Lemos CNET Newscom that they should apply updates for both Internet Explorer and Outlook Express to fix
http://www.zdnetasia.com/news/security/0,39044215,39128648,00.htmHOME |
The first flaw -- a buffer overrun vulnerability in URLMON.DLL -- occurs
because the browser does not correctly check the parameters of information
being received from a web server. This leaves the door open for an attacker
to take control of a susceptible system by luring the user to visit a
Website.
Microsoft said a flaw in the Internet Explorer file upload control could
let an attacker supply a file name to the file upload control and
automatically upload a file from the user's system to a web server.
The browser also contains a separate flaw in the way it handles the
rendering of third party files. "The vulnerability results because the
Internet Explorer method for rendering third party file types does not
properly check parameters passed to it. An attacker could create a specially
formed URL that would inject script during the rendering of a third party
file format and cause the script to execute in the security context of the
user," Microsoft added. Redmond Channel Partner Online | News: Microsoft's August Patch ::
Aug 12, 2008 Affected applications are Outlook Express, Windows Mail and issue remedies a couple of private reported holes in Microsoft Windows Event
http://rcpmag.com/news/article.aspx?editorialsid=10121HOME |
Microsoft closes twelve holes in Office programs - heise online UK::
Mar 12, 2008 Four updates patch holes in Excel, Office, Outlook and Office Web. so direct access to them is blocked in Outlook and Outlook Express.
http://www.heise-online.co.uk/news/Microsoft-closes-twelve-holes-in-Office-programs--/110295HOME |
The last hole was found in the way modal dialogs are treated by IE. This
flaw could be used by an attacker to gain access to files stored on a user's
computer.
In addition to correcting those four flaws, Microsoft said the patch also
includes a fix for Internet Explorer 6.0 SP1 that corrects the method by
which the browser displays help information in the local computer zone.
The patch also sets the 'Kill Bit' on the Plugin.ocx ActiveX control
which has a security vulnerability.
Microsoft cautioned that the patch will cause window.showHelp( )
to cease to function if a user does not apply the HTML Help update.
"If you have installed the updated HTML Help control from Knowledge Base
article 811830, you will still be able to use HTML Help functionality after
applying this patch," the company noted.
Separately, the software giant tagged the maximum severity rating on a cumulative patch for Outlook Express
versions 5.5 through 6.0 to fix a flaw that could allow an intruder to take
over a user's machine.
To exploit the vulnerability, attacker would have to be able to cause
Windows to open a specially constructed MHTML URL, either on a web site or
included in an HTML email message.
 Microsoft Previews Latest Windows CE .NET
 Wireless Developer Activity on the Rise: Survey
| 
HOME