ID: IRCNE2011081211
Date: 2011-08-10
According to “ZDNET”, Microsoft yesterday warned that multiple gaping security holes in its Internet Explorer browser could expose millions of Web surfers to hacker attacks via rigged web pages.
As part of this months’ Patch Tuesday release, Microsoft shipped a “critical” IE bulletin (MS11-057) with fixes for total of 7 security flaws. Two of the vulnerabilities were publicly discussed prior to the availability of the patch.
The company expects to see reliable exploits developed within the next 30 days.
Because these vulnerabilities expose IE and Windows users to drive-by download attacks without any user action beyond surfing to a booby-trapped web site, Microsoft is strongly recommending that all Windows users apply the patch immediately.
The IE update is rated “critical” for Internet Explorer 6 on Windows clients, and for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9; and Important for Internet Explorer 6 on Windows servers.
Microsoft also called special attention to MS11-058, a “critical” bulletin that addresses a pair of serious security holes in the Windows DNS Server.
The more severe of these vulnerabilities could allow remote code execution if an attacker registers a domain, creates an NAPTR DNS resource record, and then sends a specially crafted NAPTR query to the target DNS server. Servers that do not have the DNS role enabled are not at risk, Microsoft explained.
In an attack scenario, the company said that a malicious attacker can send a name resolution request to the victim DNS server that is configured to issue requests to a malicious DNS server. Because of the vulnerabilities, the response from the malicious DNS server to the victim DNS server is improperly handled, resulting in a denial-of-service condition on the victim DNS server.
The August Patch Batch also fixes these serious problems:
- MS11-063: An “important” vulnerability in Windows Client/Server Run-time Subsystem that allows privilege.
- MS11-062: A vulnerability in the Remote Access Service NDISTAPI Driver. This could allow elevation of privilege.
- MS11-064: Provides patches for a pair of vulnerabilities in the TCP/IP stack. The vulnerabilities could allow denial-of-service (blue screen).
This month’s patch release also includes fixes for denial-of-service bugs in Remote Desktop Protocol (MS11-065); a pair of code execution holes in Microsoft Visio (MS11-060); a solitary bug in ASP.NET Chart Controls that causes information disclosure (MS11-066); a data exposure flaw in Microsoft Report Viewer (MS11-067); and an elevation of privilege bug in Remote Desktop Web Access (MS11-061).
- 2