IE Flaws Focus of April Patch Tuesday
Microsoft's Internet Explorer browser was the focus of a majority of the fixes in Tuesday's monthly security update from the Redmond company. Altogether, five updates were issued, including three "critical," one "moderate," and another rated "important."
The Internet Explorer update was issued as a cumulative fix addressing ten vulnerabilities within the browser. The patch includes a fix for the much-publicized "createTextRange()" flaw, as well as fixes for HTML parsing errors, script executions, and address bar spoofing issues among others. All the flaws could result in a remote code execution risk, Microsoft said.
Separate of the Microsoft announcement, security firm eEye Digital Security said Tuesday that its temporary fix for the createTextRange() issue was downloaded by 156,000 customers in nearly two weeks.
While Microsoft frowns on the practice of applying third-party patches, the firm released data that indicated 98 percent of IT professionals would deploy a third-party patch if the vulnerability was severe enough.
"This vulnerability needed to be dealt with immediately, and so our research team quickly developed and tested a patch that specifically addressed the issue without creating a loss of functionality," eEye co-founder Marc Maiffret argued.
The update for Internet Explorer is intended for all versions of the operating system according to the advisory. Additionally, it includes a modification to the way ActiveX controls are rendered in the browser to address a possible patent infringement issue.
Other critical updates include a patch for a flaw in the execution of the RDS.Dataspace ActiveX control, and for a vulnerability in Windows Explorer's handling of COM objects. By visiting a specially designed Web site, attackers could make Explorer fail. This could open a hole to allow code execution, says Microsoft. As with the other critical flaws, all versions of Windows are affected.
Additionally, an "important" update was issued that addresses issues with how Outlook Express 5.5 and 6 handle Windows Address Book, or .wab, files. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in its advisory.
Finally, an important update was issued for FrontPage Server Extensions. A flaw within the technology could allow for cross-site scripting, the company said. However, user interaction is needed to exploit the problem. "The script could spoof content, disclose information, or take any action that the user could take on the affected web site," Microsoft warned.
Beyond the patches, an update was issued Tuesday for the Malicious Software Removal Tool that would detect the Win32/Locksky, Win32/Valla and Win32/Reatle viruses.