Infrastructure // PC & Servers
07:48 PM
Connect Directly
Repost This

Microsoft Fixes 23 Vulnerabilities Including Critical IE Flaws

Microsoft released 8 updates for a variety of products fixing a total of 23 vulnerabilities, many of them critical flaws affecting Internet Explorer. Applying the most urgent patches quickly would be wise.

MS11-076 is an "important"security update to resolve an publicly disclosed vulnerability in Windows Media Center. If an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file, it could allow remote code execution. Then, while opening the legitimate file, Windows Media Center could attempt to load the DLL file and execute any code it contained, according to Microsoft. A user must visit an untrusted remote file system location or WebDAV share and open a legitimate file for an attack to be successful. MS11-075 and MS11-076 are examples of a vulnerability class called "remote binary planting" which has necessitated dozens of fixes by Microsoft and 3rd party application vendors in the last year.

An important security update was also issued for MS11-077, which resolves four privately reported vulnerabilities in Windows, Microsoft reported. A remote code execution would be the most severe of these vulnerabilities if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment, Microsoft reported. For a remote attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the specially crafted font file, or open the file as an e-mail attachment.

MS11-079 is a security update for five privately reported vulnerabilities in Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL, Microsoft reported. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, the firm said.

MS11-080 is a security update resolving a privately reported vulnerability in the Windows Ancillary Function Driver (AFD). If an attacker logs on to a user's system and runs a specially crafted application, the vulnerability could allow elevation of privilege. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability, Microsoft said.

The final security update is for MS11-082, which resolves two publicly disclosed vulnerabilities in Host Integration Server. The vulnerabilities could allow denial of service if a remote attacker sends specially crafted network packets to a Host Integration Server listening on UDP port 1478 or TCP ports 1477 and 1478, Microsoft said. It recommended firewall best practices and standard default firewall configurations as a way to help protect networks from attacks that originate outside the enterprise perimeter. Another recommendation is that systems connected to the Internet have only a minimal number of ports exposed. In this case, the Host Integration Server ports should be blocked from the Internet, Microsoft advised.

2 of 2
Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.