Microsoft Fixes Critical Internet Explorer Flaws
This month's Patch Tuesday round of Microsoft software updates will fix a pair of critical Internet Explorer flaws that put every current consumer version of Windows at risk of being attacked.
"Generally, when Microsoft patches IE, the patch is delivered as a single bulletin," said Andrew Storms, director of security operations at nCircle in San Francisco.
"The planned delivery of two separate IE bulletins has my 'Spidey' senses on alert," he said. "I'm sure other IT security teams are wondering exactly what kind of IE valentine we're going to get."
Browsers have become the target of choice for malware writers, who embed hidden code in corrupted websites to infect visiting computers via drive-by downloads.
Other critical patches in this month's round include two for Windows XP, one of which also affects Vista, and another for Microsoft Exchange Server, the enterprise software that runs email in companies.
Microsoft never says exactly what's being patched before it pushes out its updates, which normally come on the second Tuesday of every month. (The highest-priority flaws get fixed in emergency "out of cycle" updates.)
We'll have more information about what's being specifically patched once Microsoft pushes out the update tomorrow (Feb. 12).
Seven other flaws being patched are deemed "important" by Microsoft.
Four of those patches — bulletins 7, 8, 9 and 11 according to Microsoft's pre-release documentation — involve privilege escalation, in which a user or process with limited abilities can be bumped up to administrator level, with power to make changes to the system.
"Hackers could phish users and then leverage 7, 8 and 9 to get system-level control of their machines," said Alex Horan, senior product manager at Boston's CORE Security. "That is essentially a worst-case scenario and a potential knockout punch for security personnel."
Home and small-business users of Windows should enable automatic updates in Windows Update, which is found under Control Panel. Larger enterprises usually choose to implement their patches manually.