Microsoft on Tuesday released a "critical" Internet Explorer update that fixes 10 vulnerabilities in the Web browser, including a high-profile bug that is already being used in cyberattacks.
The software giant sent out the IE megafix as part of its monthly cycle of bulletins. In addition, Microsoft delivered two bulletins for "critical" Windows flaws, one for an "important" vulnerability in Outlook Express and one for a "moderate" bug in a component of FrontPage and SharePoint.
"This patch release is a big one with lots of aftershocks," said Jonathan Bitle, a product manager at security company Qualys. "Three of the five updates, the IE and Windows updates, are especially critical as they take advantage of inexperienced users... Although a worm epidemic is unlikely, users can be easily enticed to visit malicious Web pages."
Eight of the ten vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC, Microsoft said in its Security Bulletin MS06-013.
Microsoft rates its browser update "critical" for IE 5 and IE 6, the most-used versions of the popular software. IE is vulnerable on all current versions of the Windows operating system — Windows 2000, Windows XP and Windows Server 2003 — as well as on Windows 98 and Windows Millennium Edition, the company said.
"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft said in its alert. "We recommend that customers apply the update immediately." Windows users who have automatic updates enabled for the operating system will have the fixes delivered to them.
Microsoft had been under pressure to rush the IE patch out before Tuesday because miscreants were already exploiting one of the flaws. Third parties had even provided temporary fixes for this CreateTextRange() bug, which is being used by malicious Web sites to try to drop code such as spyware on vulnerable PCs.
According to Microsoft's bulletin, three of the ten vulnerabilities fixed by the update had been publicly disclosed. Only the CreateTextRange() flaw was being exploited in attacks, the software maker said.
But Symantec has information that three of the flaws were already being exploited in attacks prior to Microsoft's patch release. More attacks are likely to follow, Oliver Friedrichs, a director at Symantec Security Response, said in a statement. "According to the latest Symantec Internet Security Threat Report, the average time between the release of a security patch and the development of an exploit is six days," he said.
Holes in Windows
In a double-whammy for Windows users, all versions of the operating system vulnerable to the IE problems are also affected by two other "critical" flaws, Microsoft said. These holes could also allow an intruder to commandeer a PC. MS06-014 is related to a specific ActiveX control and MS06-015 deals with a bug in Windows Explorer.
In these cases also, an intruder would have to build a special Web page to take advantage of the security hole. Some of the vulnerabilities in Windows and IE could also be exploited using an HTML email.
Users of Outlook Express face an additional security risk, in that the email application is flawed in the way it handles Windows Address Book files. Opening a specially crafted WAB file can result in execution of malicious code, giving an attacker control of the Windows PC, Microsoft said in Security Bulletin MS06-016.
The Windows bugs as well as the Outlook Express flaw were reported privately to Microsoft and have not been used in any attacks, the company said.
The last of the five security alerts issued by Microsoft, MS06-017, affects the lowest number of users and is deemed a "moderate" risk. The cross-site scripting flaw in FrontPage Web site building software and SharePoint collaboration software could lead to a system compromise, the company said.
Eolas tweaks
The IE update, in addition to security fixes, makes a change to the way IE handles ActiveX controls. These tweaks are a response to a long-running patent dispute between Microsoft and Eolas Technologies, a start-up backed by the University of California. The changes can affect how certain sites display in the browser.
People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.
Talkback
What about the next ten, and the next ten, and the next ten, etc. Virus and worm writers don't attack M$ because they are the dominant desktop, they attack because it is so easy to get into the OS. Everything inter-connected and open for exploit.
I recieved this update automatically last night.
Unfortunately, there seem to be bugs with the function to 'Save Attachment' in Outlook and I cannot open files with Digital Image Pro. Both of these functions halt their program. Image Pro will not display tree of files to select from and hangs. Explorer seems to work fine when acessing files.
It is not safe to use Internet Explorer. It is also not safe to use automatic windows update, for more or less the same reasons.
Just installed the "patches" (got an automatic notifier). Guess what? The "patches" killed Windows Explorer.
Fortunately, my system is set up to establish restore points every evening, so a quick restore to last night and all works again.
The problem was identified at:
http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=185302749
Microsquash might not want to admit a problem, but it's there. My HP Officejet is a good indicator that CRN was correct.