RealTime IT News

Microsoft Patches 0-Day IE Flaws

Microsoft rushed out a full patch for five separate vulnerabilities affecting its Internet Explorer browser, one of which was publicly disclosed while four were privately reported to Microsoft.

"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft stated in its security bulletin on the issue. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user."

The flaws affected multiple versions of IE including IE 6, 7, 8 and 9. IE 10, which is currently only available for Windows 8, is not affected by the flaws.

"Today we released a security update to address the Internet Explorer issue impacting a small number of customers," said Yunsun Wee, director, Trustworthy Computing Group. "While attacks have been limited, for increased protection customers should apply the update as soon as possible if they do not have automatic updates enabled."

All five of the flaws deal with use-after-free condition errors including OnMove, Event Listener, Layout Use, cloneNode and execCommand functions. In a use-after-free flaw, memory space that had been allocated for legitimate use is abused by an attacker after the legitimate use has been exhausted and freed up.

Read the full story at eSecurity Planet:
Microsoft Releases Out-of-Band Update for IE Flaw

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.