Of the six security bulletins that Microsoft released, three were rated ‘critical’ and three as ‘important’, the first and second tiers of severity in its lexicon. There were 12 vulnerability fixes in total.
The critical IE patch in security update MS09-072, which relates to Internet Explorer version 6 and 7, was one of five privately reported browser security vulnerabilities and one publicly disclosed vulnerability, Microsoft said. Attackers are already believed to be working to make the proof-of-concept into a reliable exploit, which means that affected browsers should be patched for the security vulnerability as soon as possible.
The critical rating was applied because: “The vulnerabilities could allow remote code execution if a user views a specially crafted [or malicious] web page using Internet Explorer”, the supplier added. Cross-site scripting could also be used to automatically execute or redirect users to malicious code running on a malicious or breached website.
The other two critical updates related to serious bugs in the supplier’s Internet Authentication Service for the Windows operating system (MS09-71) and its Project project management software (MS09-074).
In the first instance, each security vulnerability “could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts”, Microsoft said. Such activity would enable an attacker to take complete control of an affected system.
In the second instance, a single vulnerability “could allow remote code execution if a user opens a specially crafted Project file”, again enabling people with malicious intent to control an affected system, Microsoft said. Versions 2000-SR-1, 2002 SP1 and 2003 SP3 of the Project application are affected by the security flaw.
Microsoft released a total of 74 security bulletins this year, which is about the same number as in previous years.