Joris Evers at CNET reports that ‘Critical’ megapatch sews up 10 holes in IE:
Microsoft on Tuesday released a “critical” Internet Explorer update that fixes 10 vulnerabilities in the Web browser, including a high-profile bug that is already being used in cyberattacks.
The Redmond, Wash., software giant sent out the IE megafix as part of its monthly Patch Tuesday cycle of bulletins. In addition, Microsoft delivered two bulletins for “critical” Windows flaws, one for an “important” vulnerability in Outlook Express and one for a “moderate” bug in a component of FrontPage and SharePoint.
“This patch release is a big one with lots of aftershocks,” said Jonathan Bitle, a product manager at security company Qualys. “Three of the five updates, the IE and Windows updates, are especially critical as they take advantage of inexperienced users…Although a worm epidemic is unlikely, users can be easily enticed to visit malicious Web pages.”
Eight of the 10 vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC, Microsoft said in its Security Bulletin MS06-013.
The 8 drive-by exploits included the one reported last month where hacked everyday web sites were being used as the shadowy “malicious web sites” Microsoft seems to be so fond of warning against.
Also in the security update for IE is the nonsecurity change in the handling of ActiveX controls mandated by Microsoft’s patent infringement case with Eolas that had been previously released as a “voluntary patch.” It’s a little more complicated than that, because Microsoft is also providing a “compatibility patch” that disables the Eolas update until June for developers that are still working to finish modifying corporate applications. Not unexpectedly, Eolas said last month that it would have been simpler just to pay them. David Berlind observes that the extra user clicks that may be required for some ActiveX controls puts Firefox one up on Internet Explorer because Eolas is not pursuing the open source browser.