'Critical' Fixes for Internet Explorer, Silverlight in Microsoft's October Security Bulletin
Microsoft today released its October Security Bulletin, which includes eight bulletins that address 23 vulnerabilities -- with two bulletins labeled "critical" and six "important."
The first critical item fixes eight vulnerabilities reported by private entities. Microsoft said that one of the holes could lead to remote code execution if a user visited a targeted Web page while using Microsoft's browser.
The second critical bulletin fixes an issue with Microsoft .NET Framework and Microsoft Silverlight. Just as in the first bulletin, if unpatched, users could be subjected to remote code execution thanks to an error in Internet Explorer that can run XAML Browser Applications (XBAPs) or Silverlight applications.
As with all items deemed critical by Microsoft, security experts advise IT and users to prioritize these patches as soon as possible. "In addition to the eight critical vulnerabilities being fixed in Internet Explorer, both consumer and corporate customers urgently need to patch Silverlight with MS11-078, which may or may not be installed on your system," wrote Kurt Baumgartner, a Kaspersky lab expert, in a blog post.
Host Integration Servers 2004, 2006, 2009 and 2010 marks the first important bulletin, and if unpatched, could lead to a possible denial of service attack. The second of the six important items concerns Windows Server 2003 and Windows XP, and patches a hole that hackers could exploit for an elevation of privilege action.
Speaking on behalf of the next item, Robert Keith, security advisor at Symantec, breaks down an error in Microsoft's Kernel mode (all versions of Windows OS and Windows Server) that gets a fix: "A local privilege-escalation vulnerability occurs because the kernel fails to properly validate user-supplied data between user-mode and kernel-mode. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer."
The final three bulletins target Forefront Unified Access Gateway 2010, Windows Media Center running on Windows 7 and Microsoft Active Accessibility. If gone ignored, flaws in these programs could all lead to remote code execution attacks.
More information on October's Security Bulletin can be found here. Microsoft has also released a chart prioritizing each patch:
[Click on image for larger view.]
Courtesy of Microsoft