This week in software flaws
Microsoft releases "critical" IE update that fixes 10 flaws in Web browser, including a high-profile bug that is being used in cyberattacks.
The software giant sent out the IE megafix as part of its monthly Patch Tuesday cycle of bulletins.
In addition, Microsoft delivered two bulletins for "critical" Windows flaws, one for an "important" vulnerability in Outlook Express and one for a "moderate" bug in a component of FrontPage and SharePoint. Eight of the 10 vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC.
Mozilla also made some revisions, releasing an update to its Firefox Web browser that fixes several security flaws and, as expected, adds support for Macs with Intel processors. The most serious bugs in Firefox could allow an outsider to commandeer a vulnerable computer, according to the Burning Edge, a Web site that tracks development of the open-source browser.
The vulnerabilities are fixed in version 1.5.0.2, which was released on Thursday.
Meanwhile, Oracle accidentally let slip details on a security flaw it has yet to patch. The business software giant is usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products. But on April 6, the company itself published a note on its MetaLink customer Web site with details about an unfixed flaw.
Oracle confirmed the accidental posting. "Information regarding a security vulnerability was inadvertently posted to MetaLink," a representative for the company said. "We are currently investigating events that led to the posting."