14 DAY TRIAL // Microsoft has released security updates for Windows 7 and Windows Server 2008 R2 designed to bulletproof Internet Explorer 8 against attacks targeting browser components and controls built with vulnerable variants of the Microsoft Active Template Library (ATL). In this sense, the Redmond company started offering Microsoft Security Bulletin MS09-034 rated Critical; namely the Cumulative Security Update for Internet Explorer (972260), via Windows Update, but also through the Download Center. In this regard, at the bottom of this article you will be able to find the links to the security updates for Windows 7 and Windows Server 2008 R2, the IDX and Release Candidate Build 7100 development milestone.
Customers running pre-release versions of Windows 7 and Windows Server 2008 R2 need to know that Internet Explorer 8 on the two operating systems is not affected by the Active Template Library vulnerabilities. The patches released by Microsoft are, in this regard, a preemptive move, set up to safeguard users against potential attacks/exploits.
“While Internet Explorer is not itself vulnerable to the ATL issue, the IE team has built a defense-in-depth change that can help protect against attempts to attack controls or components containing the ATL vulnerabilities. This update also addresses an issue where attackers can attempt to bypass the “killbit” protections in IE. Finally, this update also addresses three unrelated, responsibly disclosed vulnerabilities,” explained Christopher Budd, security program manager, Microsoft Security Response Center.
As far as the additional security issues patched by MS09-034, neither the 32-bit, not the 64-bit or Itanium flavors of Windows 7 and Windows Server 2008 are impacted by the vulnerabilities. In addition, exploiting such a vulnerability on either of the two platforms would be an extremely cumbersome task because of the various mitigations set in place by Microsoft. First off there's Data Execution Prevention and Address Space Layout Randomization.
“Internet Explorer 8 offers enhanced protections by enabling DEP/NX memory protections by default for users on Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows 7. DEP/NX helps foil attacks by preventing code from running in memory that is marked non-executable. Combined with Address Space Layout Randomization (ASLR), DEP/NX reduces the ability of attackers to successfully exploit certain types of memory-related vulnerabilities,” Microsoft explained.
In addition, Windows 7 users enjoy an additional layer of protection thanks to User Account Control, provided that it is turned on, which forces IE8 to run in Protected Mode. “Internet Explorer 7 and Internet Explorer 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zone. Protected Mode significantly reduces the ability of an attacker to write, alter, or destroy data on the user's machine or to install malicious code. This is accomplished by using the integrity mechanisms of Windows Vista and later, which restrict access to processes, files, and registry keys with higher integrity levels,” the company added.
Cumulative Security Update for Internet Explorer 8 in Windows 7 IDX for x64-based Systems (KB972260)
Cumulative Security Update for Internet Explorer 8 for Windows 7 IDX (KB972260)
Cumulative Security Update for Internet Explorer 8 in Windows 7 Release Candidate (KB972260)
Update for Internet Explorer 8 in Windows Server 2008 R2 Release Candidate for x64-based Systems Update for Internet Explorer 8 in Windows Server 2008 R2 Release Candidate for Itanium-based Systems
Update for Internet Explorer 8 in Windows Server 2008 R2 IDX x64 Update for Internet Explorer 8 in Windows Server 2008 R2 IDX IA-64 Update for Internet Explorer 8 in Windows Server 2008 R2 IDX x86