gHacks technology news » internet explorer vulnerability

Microsoft Internet Explorer Security Update

Martin — Tue, 28 Jul 2009 20:40:10 +0000

Microsoft has released a critical security fix for their Internet Explorer web browsers. The vulnerability, actually its more than one that are patched by the cumulative patch, affect most Internet Explorer still in use by users worldwide including Internet Explorer 6, Internet Explorer 7 and the latest version Internet Explorer 8. The vulnerability does only affect Internet Explorer versions running on Windows operating systems. The most popular Microsoft operating systems are all affected including Windows XP, Windows Vista and even the soon to be released Windows 7.

This security update is being released out of band in conjunction with Microsoft Security Bulletin MS09-035, which describes vulnerabilities in those components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library (ATL). As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.

This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on supported editions of Microsoft Windows 2000; Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows XP; Critical for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Vista; Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003; and Moderate for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Windows users should make sure to download the security update as soon as possible. It is available at the usual sources including automatic updates, Windows Update or Microsoft Update.

Tags: internet explorer patch, internet explorer security, internet explorer vulnerability, internet-explorer, microsoft, web browser

Internet Explorer Vulnerability Fix

Martin — Tue, 07 Jul 2009 09:04:39 +0000

Microsoft has released a security advisory about a vulnerability in Microsoft Video ActiveX Control which can be exploited remotely in Internet Explorer. The vulnerability advisory states that Microsoft is aware that attackers are trying to exploit the vulnerability. Internet Explorer users are therefor advised to fix the vulnerability as soon as possible to prevent possible attacks on their computer system.

The security vulnerability affects only Windows XP and Windows Server 2003 systems. Computer systems running Windows Vista, Windows Server 2008 or Windows 7 are not affected because “the ability to pass data to this control within Internet Explorer” is restricted in these operating systems.

A successful attack will give the attacker the same user rights as the currently logged in user. Microsoft has issued a workaround for the Internet Explorer vulnerability that can be applied manually or using Microsoft Fix It.

The fastest way to patch the security vulnerability is to use the Microsoft Fix It script that will perform all the actions of the workaround automatically. The fix will basically remove support for the ActiveX Control in Internet Explorer. This should not have any impact on the web browser’s functionality according to Microsoft.

Tags: internet explorer patch, internet explorer vulnerability, internet-explorer, microsoft fix it, microsoft video activex control, security advisory, windows server 2003, windows-xp

Real Player Internet Explorer vulnerability

Martin — Thu, 13 Mar 2008 12:32:17 +0000

Internet Explorer with an installed version of Real Player beware. A vulnerability has been discovered recently which could allow remote code execution. According to Zdnet users should either switch browsers for the time until an patch is released or disabling killbits for two Active X classes. They forgot to mention the third option which would be to uninstall Real Player (temporarily).

Affected are all Real Player versions running under Internet Explorer. Microsoft has an article up that explains Killbits and what they do. They basically prevent Active X controls from being loaded in Internet Explorer. I still would recommend to either switch to Firefox or Opera temporarily or uninstall Real Player for the time until a security patch has been created.

Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers.

The killbits that should be disabled are the following:

2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This will definitely have the effect that some Real Player functions will stop working properly.

Tags: internet explorer vulnerability, internet-explorer, microsoft, real player, vulnerability

gHacks technology news » internet explorer vulnerability

Microsoft Internet Explorer Security Update

Related posts

Internet Explorer Vulnerability Fix

Related posts

Real Player Internet Explorer vulnerability

Related posts