Microsoft patches critical IE, Silverlight drive-by bugs

Fixes 23 flaws, including one that also affects Mac users running Silverlight plug-in

By , Computerworld |  Security, Internet Explorer, Microsoft

Storms highlighted MS11-078 if only because of its novelty. "We're used to the IE bugs, but [MS11-078] has three different attack vectors, and the Web hosting one has high potential for exploitation," Storms said.

"If a Web hosting environment allows users to upload custom ASP.NET applications, an attacker could upload a malicious ASP.NET application that uses this vulnerability to break out of the sandbox used to prevent ASP.NET code from performing harmful actions on the server system," said Microsoft in its accompanying bulletin.

Storms said he could see attackers try to leverage that to compromise servers at an Internet service provider (ISP).

Microsoft also returned to the "DLL load hijacking" well this month, Miller and Storms both noted. DLL load hijacking, sometimes called "binary pre-loading," describes a class of bugs first revealed in August 2010. Microsoft has been patching its software to fix the problem -- which can be exploited by tricking an application into loading a malicious file with the same name as a required dynamic link library, or DLL -- since last November.

So far, said Miller, Microsoft has released 17 security updates to fix DLL load-hijacking issues in its software.

Today's additions patched Windows Media Player and an accessibility component meant to make Windows usable by the disabled.

Miller reminded users that Microsoft published a tool more than a year ago that blocks attacks based on DLL load hijacking.

October's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services. The sole exception is MS11-079 , which must be manually downloaded from the company's download center .

Originally published on Computerworld |  Click here to read the original story.
Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

Ask a Question