Microsoft Patches Critical Bugs In Internet Explorer

As expected, one of the four fixes for IE is a patch for the zero-day vulnerability acknowledged by Microsoft in late November.

Microsoft's first bulletin, MS050-054, fixes four separate bugs in Internet Explorer, two of them marked with Microsoft's most serious label, critical.

Those two relate to IE's problem handling malicious COM objects and a more recent issue that's emerged with active scripting. Attackers exploiting the problems can grab control of a PC remotely, then do whatever they want with the compromised machine.

The other two flaws fixed Tuesday in IE were marked "moderate" by Microsoft.

All four issues affect virtually every version of IE still supported, including IE 5.0, 5.5, and 6.0. Even the more secure IE 6.0 running under Windows XP SP2 is vulnerable.

Some of the bugs rely on social engineering tricks -- one vulnerability lies in the how IE displays file download boxes -- but all require that users be duped into visiting malicious Web sites where exploits were waiting in ambush.Two of the four bugs were previously unreported, but two were known by attackers, and one -- the vulnerability in active scripting -- was already being exploited. That situation, a so-called "zero-day" event where an active exploit beats a patch to the punch, is the most serious of security scenarios.

"That's the one everyone will be asking about today," said Steve Manzuik, the security product manager for eEye Digital Security's research group.

Earlier, Microsoft had issued an advisory about the zero-day bug, and also urged users to scan their systems using Microsoft's Windows Live Safety Center.

The second bulletin, numbered MS05-055, was credited to eEye. Although it's marked as "important," one step below "critical" on Microsoft's four-level warning system, eEye's Manzuik argued that it posed a risk almost as great as the Internet Explorer flaws.

"By itself [MS05-055] is only a local escalation of privileges, but if it's combined with something else, a worm or Trojan that leverages another IE vulnerability, it would give the attack system-level access," said Manzuik.

The patch fixes the vulnerability in Windows 2000's processing of asynchronous procedure calls within the kernel. eEye's alert notes that the bug also exists in Windows NT 4.0; Microsoft discontinued all but custom support for that operating system late last year.

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).