Watch out. Microsoft has announced that IE vulnerabilities have been discovered and that users should take precaution by downloading the latest security patch, MS12-0100.
What the Browser Vulnerability Leaves Open
The most severe browser vulnerabilities could
- Allow remote code execution if a user views a specially crafted web page using Internet Explorer.
- An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user.
- Users whose accounts at the administrative level could be impacted more than users who have fewer user rights on the system.
What the patch does
The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles content during copy and paste processes; how it handles objects in memory; and how it creates and initializes strings.
Microsoft also announced a vulnerability that could allow remote code execution if a user opens a specially crafted media file that appears on a website or sent as an email attachment. Microsoft says that if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. That vulnerability is discussed on MS12-013.
The security update addresses the vulnerability by modifying the way that the msvcrt dynamic link library (DLL) calculates the size of data structures in memory. What the calculations reported was not specified, but one would think that the number showed the size of the content, and this number could be extended or modified, thereby exploiting the software, and making room for hackers to enter.
Security Update Download Options
Microsoft announces upgrades and they are available for download on a Tuesday. If your computer is set for automatic download, then the patch will be placed on the user’s computer. If not, review the upgrade system to make the download available.