Microsoft Fixes 23 Vulnerabilities Including Critical IE Flaws - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
News
10/11/2011
07:48 PM
50%
50%

Microsoft Fixes 23 Vulnerabilities Including Critical IE Flaws

Microsoft released 8 updates for a variety of products fixing a total of 23 vulnerabilities, many of them critical flaws affecting Internet Explorer. Applying the most urgent patches quickly would be wise.

Microsoft issued its monthly security bulletins today, which include two updates rated as “critical” and which could allow remote code execution. The first, MS11-078, is for a vulnerability in .NET Framework and Microsoft Silverlight. The second critical fix is for MS11-081, a cumulative security update for Internet Explorer. There were six other updates issued that were ranked as “important.”

Microsoft also issued guidance for prioritization of patching. Click on the image below for a full-size chart.

Patch Deployment Priority - Click For Full Size

MS11-078 resolves what was a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight, that if left unfixed, Microsoft said, could allow remote code execution on a client system if a user views a specially crafted web page using a browser running XAML Browser Applications (XBAPs) or Silverlight applications. The impact will not be as great on systems configured to have fewer user rights as opposed to users whose systems operate with administrative user rights, according to Microsoft. A remote code execution is also possible on a server system running IIS, "if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario," because of the vulnerability, Microsoft reported. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

The update to MS11-081 resolves eight privately reported critical Internet Explorer vulnerabilities, Microsoft reported. Remote code execution would be the most severe of outcomes if a user views a specially crafted web page using Internet Explorer. If any of these vulnerabilities were successfully exploited, an attacker could gain the same user rights as the local user, according to Microsoft. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. All shipping versions of IE, including IE9, are affected by at least 1 critical vulnerability.

A privately reported vulnerability in the Active Accessibility component, MS11-075, has also been patched. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file, Microsoft said. The Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained while opening the legitimate file, the firm said. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll