Patch Tuesday Brings Two Fixes
As promised, Microsoft on Tuesday rolled out two security updates as part of its monthly Patch Tuesday program, one rated "important" and the other "critical." The patches fix flaws in Internet Explorer, as well as a vulnerability in the Windows Kernel.
Microsoft has fixed four critical vulnerabilities within Internet Explorer versions 5 and 6, replacing an earlier cumulative fix issued in October of this year.
The fixes include a flaw where an attacker could manipulate a file download dialog box to allow for remote code execution, but Microsoft said "significant user interaction" was required to exploit the vulnerability.
Another patch fixes an HTTPS proxy vulnerability where a flaw could allow an attacker to read secure Web addresses in clear text sent from Internet Explorer to a proxy server. A third fix involves the way IE represents COM objects. A hacker could take complete control of a user's system by exploiting this vulnerability.
Finally, a fix has been provided for a flaw in the way the browser handles mismatched DOM objects, which could result in the loss of control of a computer system, much like the COM vulnerability.
Security firm Secunia discovered the vulnerabilities and provided Microsoft with the necessary data to help correct the issues, the company said.
According to the Secunia Web site, the DOM flaw was discovered in May and rated as a "highly critical" vulnerability.
The second "important" patch involves a flaw that could allow code to elevate itself to the highest possible privilege level, which is the Kernel, to execute on Windows 2000 systems. The flaw could be used to compromise a vulnerable system.
Microsoft rated the flaw "important" rather than "critical" due to the fact the attacker must be logged into the system in order to take advantage of it. The problem was first reported by firm eEye Digital security in May, which rated it as a "medium" level vulnerability.