July 3rd, 2008

On deck from MS: Four ‘important’ patches but nothing for IE

Posted by Ryan Naraine @ 12:57 pm

Categories: Patch Watch, Hackers, Zero-day attacks, Microsoft, Windows Vista, Browsers, Vulnerability research, Responsible disclosure, Exploit code, Data theft, Pen testing, Arbitrary Code Execution, Malware

Tags: Patch Management, Microsoft Internet Explorer, Microsoft Corp., Flaw, Web Browsers, Microsoft Windows, Security, Internet, Operating Systems, Software

Next Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals.

According to the company’s advance notice for July’s Patch Tuesday, all four bulletins will be rated “important,” meaning that these flaws could be exploited to result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

All supported versions of Windows are affected by these bulletins, including the newest Windows Vista and Windows Server 2008 operating systems.

[ SEE: Exploit code released for unpatched IE 7 vulnerability ]

However, if you’re an Internet Explorer user, you can’t be happy that Microsoft is leaving you on hold for another month without a cumulative IE update.

There are several known — and publicly discussed — code execution flaws haunting the world’s most widely used browser.  These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat.

There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!

* Image source: Jeff Wilcox’s Flickr photostream (Creative Commons 2.0).