Microsoft Issues Critical IE Fix In 10-Patch Update

Altogether, the 10 patches -- three of which repair critical glitches -- address vulnerabilities in Windows, Microsoft Office, IE, Internet Information Services and the .NET Framework.

Thus far, there are no active attacks exploiting the vulnerabilities covered in June patch load. However, Microsoft is placing its highest deployment priority on the three patches designated with the highest severity ranking of "critical," said Jerry Bryant, Microsoft group manager for response communications, in a blog post.

Among the highest priority patches was a cumulative update for IE, addressing a total of six vulnerabilities, one of which was publicly disclosed. The IE vulnerability, which Microsoft first reported in February, was given an exploitability index rating of "1," indicating that researchers expect an active exploit within 30 days.

Users could become victims of an attack by visiting a malicious Web site on affected versions of IE, including IE 8, supported on various editions of Windows. Generally, users will be lured to such sites through social engineering schemes, which entice them to open embedded links in e-mail messages, IM or social networking sites.

Security experts contend that by far, the IE patch as well as the Windows media patches should have top billing when prioritizing patch deployment.

"IE is the most targeted application out there," said Jason Miller, data and security team manager for Shavlik Technologies.

Microsoft also issued a Windows media fix for a remote code execution vulnerability in Quartz.dll and Asycfilt.dll, ranked "critical' on all supported versions of Windows. Hackers could exploit the vulnerability by creating a specially crafted media file that automatically dropped code on users' computers when they visited a Web page or opened a malicious file.

"MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE," said Wolfgang Kandek, Qualys CTO, in an e-mail.

Miller said that media files would continue to be a popular target for hackers as users take mobile devices, such as smartphones and laptops, home for personal use and visit malicious or infected sites outside the corporate firewall.

In addition, Microsoft is launching a cumulative fix for ActiveX Kill Bits, rated "critical" on Windows 2000, XP, Vista and Windows 7 on all supported edition of windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. Microsoft is applying two controls -- and IE 8 developer tools control and the data analyzer ActiveX control, the latter of which is not installed by default.

As with other security bugs, the ActiveX vulnerabilities could enable remote code execution attacks if a victim were to view a malicious Web page that instantiates an affected ActiveX control while running IE.

Of the seven patches given the slightly less severe ranking of "important," including a fix for three vulnerabilities in SharePoint Server which could lead to an elevation of privilege attack if a hacker were to convince a victim to click on a malicious link on a SharePoint site.

Other "important" fixes incorporated in this month's patch include ones repairing vulnerabilities in Windows Kernel-Mode drivers, COM validation in Microsoft Office, OpenType Compact Font Format driver, Microsoft Excel, Internet Information Services, and Microsoft .NET Framework, some of which could enable remote code execution.