Microsoft to plug critical drive-by attack flaw

 

Gallery

By Stewart Mitchell

Posted on 6 Jul 2012 at 10:59

Microsoft will release nine patches – three of them critical - in next week’s Patch Tuesday security update.

The three critical patches fix vulnerabilities in Microsoft software that allow remote code execution, two of them in Windows and one in Internet Explorer, the company said in its advance notice bulletin.

Although Microsoft does not disclose which exact vulnerabilities will be patched until it's ready to deliver, security experts believe the key patch will be to plug a vulnerability spotted last month that could be used to install malware in drive-by attacks.

“Bulletin 1, rated ‘critical’, affects all versions of Windows, and we expect it to address the XML vulnerability disclosed by Microsoft in June's Patch Tuesday as KB2719615,” said Wolfgang Kandek, CTO of security firm Qualys.

The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer

“This bulletin will be the highest priority for users, at least for those who did not apply Microsoft's FixIt supplied in the advisory.”

Active attacks

According to Microsoft, there are already attacks targeting the vulnerability that could allow hackers to install key loggers or other malware on computers.

“Attacks leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0.,” the company said. “The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

"An attacker would have no way to force users to visit such a website, but would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."

The “important” patches address information disclosure, remote execution and elevated privilege issues in Windows, Office, Windows Server and Microsoft Development Tools.