Five Fixes Enroute, New IE Flaw Found
Microsoft said Thursday that it plans to release five security patches as part of its monthly Patch Tuesday program next week. With this month's advanced notice, the Redmond company disclosed the nature of at least one of the fixes, a break from its normal policies.
Microsoft normally does not provide details of specific fixes to prevent hackers from taking advantage of flaws before it has a chance to address them. However, with the "CreateTextRange" vulnerability, exploit code is already available, and third parties have even gone as far to create their own patches for the flaw.
"Our test and engineering plan for that update that we began two weeks ago is on track to have that update ready for Tuesday," Microsoft's Stephen Toulouse said. "The IE team is still hard at work."
As news of the fixes broke, security firm Secunia disclosed a new active scripting flaw within Internet Explorer. According to the advisory, the vulnerability exists in how the browser loads Flash format files, and exploit code is available to take advantage of the issue.
Secunia claims that a hacker could use the flaw in order to initiate phishing attacks. A test to see if a user's browser is vulnerable was posted on the firm's Web site. No indication was given as to whether the flaw may be fixed within this month's updates.
Altogether, four patches including the "CreateTextRange" fix will be issued for Windows, with the highest severity rating of those being "critical." Another patch will address a flaw affecting Windows and Office, with a rating of "moderate."
According to eEye Digital Security, one "overdue" vulnerability has not been patched yet by Microsoft: a denial-of-service issue that exists in Windows 2000, 2003 and XP. The firm has rated this as a "medium risk" issue.
eEye rates a vulnerability as overdue after sixty days, and publicly discloses the issue in a general fashion to alert users of its presence.
In addition to the patches, Microsoft said it planned to release an update to the Malicious Software Removal Tool -- as it does each month -- and one additional high-priority non-security update via Microsoft Update.