The vulnerabilities could allow attackers to run code on an unpatched system
Microsoft yesterday rolled out the last Patch Tuesday fixes of the year, issuing a total of seven different updates supposed to repair vulnerabilities in Windows 8 and Internet Explorer 10.Security bulletin MS12-077 is specifically aimed at Internet Explorer and is designed to patch three different privately reported vulnerabilities in Microsoft’s in-house browser.
The most severe security flaw would allow an attacker to run malicious code on an unpatched system and gain the same right as the currently logged in user.
“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft said.
The update is marked as “critical” for Internet Explorer 9 and Internet Explorer 10 (on both Windows 8 and Windows 7) and “moderate” for IE9 and IE 10 on Windows Server.
“This security update has no severity rating for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update,” the company explains.
Just as we told you a few hours ago, Microsoft has also released an update to fix Adobe Flash Player vulnerabilities in Internet Explorer 10.
The patch is aimed at IE10 running on Windows 8, Windows Server 2012 and Windows RT. This is a cumulative update, so users do not need to download previous fixes to patch their systems.
Just as usual, these updates are being delivered via the integrated Windows Update tool and do not require user interaction in case this feature is turned on.