Microsoft Nabs 28 Flaws in Year's Last Patch Haul
Internet Explorer, ActiveX and Office lead the hit parade in 2008's final round of monthly security fixes -- which also happen to its largest.
The company today released its Patch Tuesday fixes for December, and it's a large one, with eight different security bulletins addressing 28 vulnerabilities.
The Internet Explorer browser gets tagged for four issues with a critical severity rating -- the maximum. The first of the four IE issues, described as a "Parameter Validation Memory Corruption Vulnerability," deals with a security flaw in the way that IE Web navigation works.
The second IE issue fixed by Microsoft, titled, "HTML Objects Memory Corruption Vulnerability," addresses the potential for remote code execution in how IE accesses uninitialized memory in certain circumstances.
Microsoft also tackled one flaw it called "Uninitialized Memory Corruption Vulnerability," which stems from a problem in how the browser accesses an object that has been deleted, as well as "HTML Rendering Memory Corruption Vulnerability," which centers on a security hole in how IE embeds objects into a Web page.
"The security update addresses these vulnerabilities by modifying the way that Internet Explorer validates parameters, handles the error resulting in the exploitable condition, and handles extra data when embedding objects in Web pages," Microsoft stated in its advisory on the IE fixes.
The problems affect Internet Explorer versions 5, 6 and 7. Microsoft has not identified whether or not the Internet Explorer 8 Beta 2 browser is at risk, and has not issued an update for the beta.
ActiveX, search and Office
In addition to the IE-specific fixes, Microsoft this month is also patching five issues that affect ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files. ActiveX is widely used within IE and across Web sites as a mechanism for dynamic functionality.
The vulnerabilities stem from memory corruption issues that could be tapped by an attacker to execute remote code. Microsoft said it fixed the issues in the update by improving validation and error handling within the ActiveX controls.
Windows Search users need to also pay attention to a pair of fixes made in this month's updates. According to Microsoft's advisory on the issue, an attacker could potentially take control of a user's PC, if a user either opens, saved or clicked on a maliciously crafted saved-search file within Windows Explorer.
"The security update addresses the vulnerabilities by modifying the way that Windows Explorer frees memory when saving Windows Search files and by modifying the way that Windows Explorer interprets parameters when parsing the search-ms protocol," Microsoft said in its advisory.