X

'Critical' megapatch sews up 10 holes in IE

Microsoft bulletins highlight browser flaw being used in cyberattacks, plus fix bugs in Windows and other software.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
4 min read
Microsoft on Tuesday released a "critical" Internet Explorer update that fixes 10 vulnerabilities in the Web browser, including a high-profile bug that is already being used in cyberattacks.

The Redmond, Wash., software giant sent out the IE megafix as part of its monthly Patch Tuesday cycle of bulletins. In addition, Microsoft delivered two bulletins for "critical" Windows flaws, one for an "important" vulnerability in Outlook Express and one for a "moderate" bug in a component of FrontPage and SharePoint.

"This patch release is a big one with lots of aftershocks," said Jonathan Bitle, a product manager at security company Qualys. "Three of the five updates, the IE and Windows updates, are especially critical as they take advantage of inexperienced users...Although a worm epidemic is unlikely, users can be easily enticed to visit malicious Web pages."

Eight of the 10 vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC, Microsoft said in its Security Bulletin MS06-013.

Microsoft rates its browser update "critical" for IE 5 and IE 6, the most-used versions of the popular software. IE is vulnerable on all current versions of the Windows operating system--Windows 2000, Windows XP and Windows Server 2003--as well as on the older Windows 98 and Windows Millennium Edition, the company said.

"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft said in its alert. "We recommend that customers apply the update immediately." Windows users who have automatic updates enabled for the operating system will have the fixes delivered to them.

Microsoft had been under pressure to rush the IE patch out before Tuesday because miscreants were already exploiting one of the flaws. Third parties had even provided temporary fixes for this "CreateTextRange" bug, which experts said was being used by malicious Web sites to try to drop code such as spyware on vulnerable PCs.

According to Microsoft's bulletin, three of the 10 vulnerabilities fixed by the update had been publicly disclosed. Only the CreateTextRange flaw was being exploited in attacks, the software maker said.

But Symantec has information that three of the flaws were already being exploited in attacks prior to Microsoft's patch release. More attacks are likely to follow, Oliver Friedrichs, a director at Symantec Security Response, said in a statement. "According to the latest Symantec Internet Security Threat Report, the average time between the release of a security patch and the development of an exploit is six days," he said.

Holes in Windows
In a double-whammy for Windows users, all versions of the operating system vulnerable to the IE problems are also affected by two other "critical" flaws, Microsoft said. These holes could also allow an intruder to commandeer a PC. One is related to a specific ActiveX control, a kind of Web program, (MS06-014), and the other deals with a bug in Windows Explorer (MS06-015).

In these cases also, an intruder would have to build a special Web page to take advantage of the security hole. Some of the vulnerabilities in Windows and IE could also be exploited using an HTML e-mail, which essentially is a Web page sent in an e-mail message.

Users of Outlook Express face an additional security risk, in that the e-mail application is flawed in the way it handles Windows Address Book files. Opening a specially crafted WAB file can result in execution of malicious code, giving an attacker control of the Windows PC, Microsoft said in Security Bulletin MS06-016.

The Windows bugs as well as the Outlook Express flaw were reported privately to Microsoft and have not been used in any attacks, the company said.

The last of the five security alerts issued by Microsoft, MS06-017, affects the lowest number of users and is deemed a "moderate" risk. The cross-site scripting flaw in FrontPage Web site building software and SharePoint collaboration software could lead to a system compromise, the company said.

Eolas tweaks
The IE update, in addition to security fixes, makes a change to the way IE handles ActiveX controls. These tweaks are a response to a long-running patent dispute between Microsoft and Eolas Technologies, a start-up backed by the University of California. The changes can affect how certain sites display in the browser.

People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.