RSSPatch Tuesday Brings Two Fixes
By Ed Oswald | Published December 13, 2005, 2:36 PM
As promised, Microsoft on Tuesday rolled out two security updates as part of its monthly Patch Tuesday program, one rated "important" and the other "critical." The patches fix flaws in Internet Explorer, as well as a vulnerability in the Windows Kernel.
Microsoft has fixed four critical vulnerabilities within Internet Explorer versions 5 and 6, replacing an earlier cumulative fix issued in October of this year.
The fixes include a flaw where an attacker could manipulate a file download dialog box to allow for remote code execution, but Microsoft said "significant user interaction" was required to exploit the vulnerability.
Another patch fixes an HTTPS proxy vulnerability where a flaw could allow an attacker to read secure Web addresses in clear text sent from Internet Explorer to a proxy server. A third fix involves the way IE represents COM objects. A hacker could take complete control of a user's system by exploiting this vulnerability.
Finally, a fix has been provided for a flaw in the way the browser handles mismatched DOM objects, which could result in the loss of control of a computer system, much like the COM vulnerability.
Security firm Secunia discovered the vulnerabilities and provided Microsoft with the necessary data to help correct the issues, the company said.
According to the Secunia Web site, the DOM flaw was discovered in May and rated as a "highly critical" vulnerability.
The second "important" patch involves a flaw that could allow code to elevate itself to the highest possible privilege level, which is the Kernel, to execute on Windows 2000 systems. The flaw could be used to compromise a vulnerable system.
Microsoft rated the flaw "important" rather than "critical" due to the fact the attacker must be logged into the system in order to take advantage of it. The problem was first reported by firm eEye Digital security in May, which rated it as a "medium" level vulnerability.
Can anyone give the URL for the KB910437 patch?
edit: Nevermind, found it.
Score: 0
|"Two fixes"? Great.
That was sarcasm by the way.
Score: 0
|Actually one fix if you count the fact that XP is not affected by the kernel exploit, only 2000.
Score: 0
|"One fix"? Great
That was more sarcasm by the way
Score: 0
|There will be 2 patches, if you use Windows Update. One is the IE security flaw. ANother is not security-related but more like a bug fix for Windows Update.
Score: 0
|I especially like all the NTOS* system files that get replaced under Windows 2000. That leaves me with warm fuzzies as I reboot.
Score: 0
|Hahaha.
Score: 0
|This is so cool! With IE's DLL's gutted from my system, now I never have to worry about these IE exploits again!
Score: 0
|Oh great, more fake press releases from Microsoft designed to make the general public think they are actually doing something to protect them for identity theft, viruses, etc.
All this is a thinly veiled attempt to avoid the huge class action lawsuits that are coming their way.
I can just hear the Microsoft meetings about this... "Hey, instead of re-designing Windows properly to correct all these security flaws, lets have more fake press releases about fake security updates to convince the dimwits out there that we are doing something! Holee great idea Josh, here's another million."
Let the name calling begin...
Score: 0
|Oh yes, because linux is so properly designed that it NEVER has flaws right ;-)
Score: 0
|and firefox has been having so many security fixes lately
Score: 0
|I'm really curious:
What OS do you use?
Score: 0
|Firefox doesn't need security fixes, they get it right the first time. According to Secunia as of Dec. 13th IE has 21 vulnerabilties and Firefox has 3.
Score: 0
|Yes, because we all know that Secunia is a credible source for security information. *eyeroll*
Eeye, at least, is reliable and responsible in their reporting, and at least they offer software that helps analyze and mitigate problems.
Score: 0
|Please don't feed the trolls or squeeze the Charmin. Thank you!
Score: 0
|That may be true, but 3 is still not ZERO is it? And the extent of those vulnerabilities, is what the factore is. If they are gapping holes, then its a problem... and the fact that you posted this, with knowledge that there ARE 3 vulnerabilities, and they are NOT fixed, tells me they are not addressed, and why is that? Gee you think maybe because they can't fix them?
Firefox is NOT any better off than IE, 1 vulnerability or 100, it depends on severity, 1 major fix could idealy fix them ALL. Firefox is STILL subject to problems, so don't pretend that because it apparently has less, doesn't make it less problematic.
Score: 0
|...well who is better is not something we can necessarily prove with statistics or numbers. If that were the case IE would be better as it still holds over 85% of the browser market. Does that mean it's better? Not necessarily. Now, I use IE because I believe it is better, but that's only me.
Score: 0
|"Yes, because we all know that Secunia is a credible source for security information."
LOL love the sarcasm!
Score: 0
|No answer?
Score: 0
|This one time, at band camp, I kept hearing about Windows security problems. So I went on my PC and found the folder called "Windows" and deleted it. That fixed everything. I recommend everyone else do the same! Snap!
Score: 0
|Hmm, I don't know, but you seem really stupid for doing that. Go back to Linux and make free love to your other Linux fanboys.
Score: 0
|Why don't you do us all a favour and disconnect your internet connection too?
Score: 0
|It was a joke, and the fact that you two didn't pick up on it means that you should disconnect your computers from the net, not him.
Score: 0
|its amazing how stupid and vocal some people in the open source community can be.
It shows how much you understand software with the pathetic sorry comments you make. "Firefox has no flaws" right... !!And the moon is made of cheese.
"MS pretends to fix flaws" ... lol .. so you are saying a patched system still has the same flaw? How clever are you. That must be quite a feast for spyware developers. Amazing that MS wouldnt get sued for doing that only because they make fake fixes. LOLL. you are such a loser man.
GET your facts right before your blurt out crap from your sorry brain.
Its great to see MS take security seriously and since the past year they have been crowned the most secure OS by the sheer number of flaws discovered as compared to Linsux.
Just because there is this large Linux developer community who obviously will be very vocal about their software being good doesnt make Windows bad. The software speaks for itself no matter how much crap people in the open source community blurt out from their ass.
Score: 0
|