By Elinor Mills
InSecurity Complex
CNet News
December 8, 2009
Microsoft released fixes on Tuesday for a critical vulnerabilities in
Internet Explorer, including one for which exploit code has been
released.
Adobe, meanwhile, was scheduled to release a critical update affecting
Flash Player and Adobe AIR, following news of exploit code being
released for a vulnerability in Illustrator CS3 and CS4 on Windows and
Mac last week.
Microsoft's regular Patch Tuesday release includes six security
bulletins addressing 12 vulnerabilities in IE, Windows, Windows Server,
and Office.
However, priority should be given to the cumulative IE bulletin, which
affects all major Windows versions including Windows 7, IE 6, IE 7, and
IE 8. The bulletin fixes five holes that could allow an attacker to
remotely take control over a system in drive-by download attacks. The
fix also addresses a problem with ActiveX control built with Microsoft
Active Template Library (ATL) headers that could allow remote code
execution.
"Vulnerabilities in IE are generally pretty serious because all you have
to do is go to a Web page or get referred to one" that has malicious
code on it, said Jason Avery, manager of the Digital Vaccine service at
Tipping Point. Three of the IE holes were disclosed through Tipping
Point's Zero Day Initiative program over the summer, he said.