Microsoft Fixes IE, Windows DNS Server Flaws In Patch Tuesday Update
Microsoft's Internet Explorer bulletin (MS11-057) covers seven vulnerabilities, five of which were privately reported to Microsoft and two that were disclosed publicly. The most severe of these vulnerabilities carry the threat of remote code execution, and could enable attackers to execute drive-by malware downloads by getting users to visit a rigged Web page.
Microsoft has rated the MS11-057 update "Critical" for Internet Explorer 6 on Windows clients, and for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9; and Important for Internet Explorer 6 on Windows servers.
Microsoft's MS11-058 bulletin patches two privately reported vulnerabilities in Windows DNS server, one of which is a remote code execution flaw that stems from the software's improper handling of a NAPTR (Naming Authority Pointer) query string in memory.
If successfully exploited, the vulnerability could allow an attacker to run arbitrary code with full system privileges, which means they'd be able to install programs, view, alter or delete data, and basically treat that system like their own personal amusement park.
"The DNS vulnerability could result in a complete system compromise," Joshua Talbot, security intelligence manager at Symantec Security Response, said in a statement distributed to media outlets. “Because no user interaction is needed, a vulnerable service simply needs to be up and running for the vulnerability to be exploited."
Microsoft labeled nine of its August bulletins as "Important," two of which carry the potential for remote code execution, including two flaws in Microsoft Visio that attackers could exploit by getting users to open a rigged Visio file. The remainder of the Important bulletins and two bulletins that Microsoft rated 'Moderate' could result in elevation of privilege, denial of service and information disclosure, the software giant said.