14 DAY TRIAL // Microsoft has patched two security vulnerabilities affecting Internet Explorer 7 on Windows Vista Service Pack 1 (SP1) and Windows XP SP3, which could have allowed an attacker to perform remote code execution on a vulnerable computer in the eventuality of a successful exploit. However, Microsoft indicated that both security holes had been privately reported and that in this regard, the risk to which users are exposed is minimal. According to the Redmond company, simply visiting a malicious website is sufficient for exploits to take advantage of the vulnerabilities. Still, users running with standard privileges are less exposed to attacks compared to those with administrator accounts.
“The IE Cumulative Security Update for February 2009 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.” stated Terry McCoy, program manager, Internet Explorer Security. “This update addresses two privately reported vulnerabilities. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles the error resulting in the exploitable condition.”
The two vulnerabilities involve uninitialized Memory Corruption and CSS Memory Corruption and impact Internet Explorer 7, but not IE6, or IE 5. The manner in which IE accesses an object previously deleted exposes the operating system to remote code execution. The same condition is valid for the way the browser manages Cascading Style Sheets (CSS).
“This security update is rated Critical for all supported versions of Internet Explorer 7 running on supported editions of Windows XP and Windows Vista. For Internet Explorer 7 running on Windows Server 2003 and Windows Server 2008, the security update is rated Moderate. For Internet Explorer Beta products, download locations are available in the Knowledge Base Article. IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer,” McCoy added.