Microsoft plugs zero-day IE hole

Microsoft released fixes on Tuesday for critical vulnerabilities in Internet Explorer, including one for which exploit code has been released.

Adobe, meanwhile, was scheduled to release a critical update affecting Flash Player and Adobe AIR, following news of exploit code being released for a vulnerability in Illustrator CS3 and CS4 on Windows and Mac last week.

Microsoft's regular Patch Tuesday release includes six security bulletins addressing 12 vulnerabilities in IE, Windows, Windows Server, and Office.

However, priority should be given to the cumulative IE bulletin, which affects all major Windows versions including Windows 7, IE 6, IE 7, and IE 8. The bulletin fixes five holes that could allow an attacker to remotely take control over a system in drive-by download attacks. The fix also addresses a problem with ActiveX control built with Microsoft Active Template Library (ATL) headers that could allow remote code execution.

"Vulnerabilities in IE are generally pretty serious because all you have to do is go to a Web page or get referred to one" that has malicious code on it, said Jason Avery, manager of the Digital Vaccine service at TippingPoint. Three of the IE holes were disclosed through TippingPoint's Zero Day Initiative program over the summer, he said.

Another critical bulletin plugs holes in Windows' Internet Authentication Service and a third critical bulletin fixes a vulnerability in Microsoft Office Project. The three bulletins rated "important" fix holes in Windows involving the Local Security Authority Subsystem Service and Active Directory Federation Services, as well as a hole in WordPad and Office Text Converters.

The bulletins affect: Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, Office 2003, Project 2000, Project 2002, Office Project 2003, Works 8.5, and Office Converter Pack.

Meanwhile, one bulletin rated "important" is being re-released to offer additional protections in the Domain Name Service for Windows 2000 Service Pack 4 systems. It addresses vulnerabilities in the DNS client and DNS server that could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.

Microsoft also released two new security advisories related to Integrated Windows Authentication and Indeo Codec. The Indeo Codec update, which applies to Windows XP and Server 2003, blocks the codec from being used in IE and Windows Media Player in the Internet Zone, Microsoft said in a Technet post. And the Integrated Windows Authentication advisory includes several nonsecurity updates that implement Extended Protection for Authentication to protect authentication credentials on the Windows platform.

In addition, Microsoft updated its Malicious Software Removal Tool to detect and remove the Win32/Hamweq worm.

"What's missing from today's patch is the fix for an outstanding denial of service attack that affects Microsoft's newest operating systems; Windows 7 and 2008 Server," said Andrew Storms, director of security operations at nCircle.