Microsoft Zaps Critical IE, Silverlight Bugs In October Patch Update

Microsoft gave its 'Critical' rating to two of the updates, one for Internet Explorer and the other for Microsoft .NET Framework and Microsoft Silverlight.

The Internet Explorer update (MS11-081) addressed eight privately reported vulnerabilities, the most serious of which could lead to remote code execution if an IE user were to visit a rigged Web page.

"Internet Explorer vulnerabilities are very common targets of attackers and it will probably be no different with these. Users and IT departments should patch these right away," said Joshua Talbot, security intelligence manager, Symantec Security Response, in a statement.

Microsoft's .NET Framework & Silverlight update (MS11-078) fixes a privately reported vulnerability that could pave the way for remote code execution if a user were to visit a rigged Web page using a Web browser that's capable of running XAML Browser Applications (XBAPs) or Silverlight applications.

According to Microsoft, this flaw could also be exploited on servers running Internet Information Services. However, for this to happen, the server would have to be set up to process ASP.NET pages, and an attacker would have to succeed in uploading a rigged ASP.NET page to the server and then execute the page, according to Microsoft.

"This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions," Microsoft said in the bulletin.

Dave Marcus, director of security research and communications at McAfee Labs, described this Patch Tuesday as "fairly moderate."

"Three of the included vulnerabilities have been previously disclosed and there is an available proof-of-concept code," Marcus said in a statement. "Administrators should pay special attention to the critical flaw affecting Internet Explorer and Windows users, which, left unpatched, can allow attackers to remotely spread a virus. IT administrators should also be aware that the .NET issue also affects Mac OS clients."

Noting that IE and Silverlight are both in widespread use, Kaspersky Lab senior security researcher Kurt Baumgartner said exploitation of their vulnerabilities will lead to remote code execution in a wide range of Windows versions.

"It would be surprising to not see related exploits added to packs and widely used in attack attempts over the coming months," he said in a statement.