Microsoft plugs critical IE, .Net holes

Microsoft today issued eight security bulletins plugging 23 holes, including a critical patch for vulnerabilities that could allow an attacker to take control of a computer, if someone visited a malicious Web page using Internet Explorer.

The cumulative IE patch, MS11-081, fixes eight holes and is rated high priority among today's Patch Tuesday bulletins, which include two rated critical and six rated important.

The other high-priority bulletin is MS11-078, which fixes a vulnerability in .Net Framework and Microsoft Silverlight that could allow an attacker to remotely execute code on a machine, if a user views a malicious Web page using a Web browser that runs Extensible Application Markup Language (XAML) applications or Silverlight applications, according to a Microsoft Security Response Center blog post. Server systems running Internet Information Services are also at risk, if an attacker is able to upload a malicious ASP.Net page to the server and executes it, the company said.

The other bulletins resolve issues in Windows, Microsoft Forefront United Access Gateway, and Microsoft Host Integration Server, according to the bulletin advisory.

"Overall, this Patch Tuesday is fairly moderate. Three of the included vulnerabilities have been previously disclosed, and there is an available proof-of-concept code," said Dave Marcus, director of security research and communications at McAfee Labs. "Administrators should pay special attention to the critical flaw affecting Internet Explorer and Windows users, which, left unpatched, can allow attackers to remotely spread a virus. IT administrators should also be aware that the .Net issue also affects Mac OS clients."