Microsoft Nabs 28 Flaws in Year's Last Patch Haul

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Patch Tuesday
Microsoft users are getting an early present from the software giant this December -- that is, if you consider the biggest security fix list of the year to be a gift.

The company today released its Patch Tuesday fixes for December, and it's a large one, with eight different security bulletins addressing 28 vulnerabilities.

The Internet Explorer browser gets tagged for four issues with a critical severity rating -- the maximum. The first of the four IE issues, described as a "Parameter Validation Memory Corruption Vulnerability," deals with a security flaw in the way that IE Web navigation works.

According to Microsoft's advisory, an attacker could exploit the vulnerability by constructing a specially crafted Web page that can allow for remote code execution if visited by an unprotected user.

The second IE issue fixed by Microsoft, titled, "HTML Objects Memory Corruption Vulnerability," addresses the potential for remote code execution in how IE accesses uninitialized memory in certain circumstances.

Microsoft also tackled one flaw it called "Uninitialized Memory Corruption Vulnerability," which stems from a problem in how the browser accesses an object that has been deleted, as well as "HTML Rendering Memory Corruption Vulnerability," which centers on a security hole in how IE embeds objects into a Web page.

"The security update addresses these vulnerabilities by modifying the way that Internet Explorer validates parameters, handles the error resulting in the exploitable condition, and handles extra data when embedding objects in Web pages," Microsoft stated in its advisory on the IE fixes.

The problems affect Internet Explorer versions 5, 6 and 7. Microsoft has not identified whether or not the Internet Explorer 8 Beta 2 browser is at risk, and has not issued an update for the beta.

ActiveX, search and Office

In addition to the IE-specific fixes, Microsoft this month is also patching five issues that affect ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files. ActiveX is widely used within IE and across Web sites as a mechanism for dynamic functionality.

The vulnerabilities stem from memory corruption issues that could be tapped by an attacker to execute remote code. Microsoft said it fixed the issues in the update by improving validation and error handling within the ActiveX controls.

Windows Search users need to also pay attention to a pair of fixes made in this month's updates. According to Microsoft's advisory on the issue, an attacker could potentially take control of a user's PC, if a user either opens, saved or clicked on a maliciously crafted saved-search file within Windows Explorer.

"The security update addresses the vulnerabilities by modifying the way that Windows Explorer frees memory when saving Windows Search files and by modifying the way that Windows Explorer interprets parameters when parsing the search-ms protocol," Microsoft said in its advisory.

This article was first published on InternetNews.com. To read the full article, click here.

Submit a Comment

Loading Comments...