Internet Explorer vulnerabilities fixed; new flaw in Windows kernel

Stephen Withers
Friday, 22 January 2010 01:41

Business IT - Security

The promised out-of-band patch for Internet Explorer has arrived, but Microsoft is now warning of an unpatched vulnerability in the Windows kernel.

As promised, Microsoft released a patch for the Internet Explorer vulnerability apparently used in the so-called 'Aurora' attack from China against Google and other companies.

Seven privately reported vulnerabilities are also patched by this update.

The update is regarded as critical on all currently supported versions of Internet Explorer and Windows, with the exception of Internet Explorer 6 on Windows Server 2003 where it is only classified as moderate.

The list of issues addressed comprises one XSS filter script handling vulnerability (Internet Explorer 8 only, potential information disclosure), one URL validation vulnerability (Internet Explorer 7 and 8, potential remote code execution), four uninitialised memory corruption vulnerabilities (at least one issue in this category applies to every version of Internet Explorer, potential remote code execution or denial of service), and two HTML object memory corruption vulnerabilities (all versions of Internet Explorer except 5.01 on Windows 2000, potential remote code execution).

Even with the patches for older versions, Microsoft is still urging all customers to upgrade to Internet Explorer 8.

As reported yesterday, products other than Internet Explorer that use the mshtml.dll for rendering were potentially vulnerable to exploits. "Installing today’s Internet Explorer update addresses the vulnerability across all applications," confirmed Jerry Bryant of Microsoft's Security Response Center.

Microsoft has admitted that it knew of the vulnerability before the December attack, and has also warned of a vulnerability in the Windows kernel, so please read on.