Microsoft pushes IE 9 tweak via Windows Update to close three critical security holes

Filed Under: Internet Explorer, Malware, Microsoft, Vulnerability

Internet Explorer 9Microsoft has reminded Internet Explorer users of the importance of keeping their browser updated against security threats.

Microsoft said on Thursday that it had pushed an update to its Internet Explorer Version 9 web browser through its Windows Update feature earlier in the week in an effort to quickly close three, critical security holes.

If unpatched and exploited by cybercriminals, the vulnerabilities could allow an attacker to use a webpage to install and run malicious code on vulnerable systems.

The company announced the release of IE Version 9.0.11 via Windows Update in a blog post, and advised users of IE 9 to apply it immediately.

The update fixes security holes associated with the recently released MS12-071 Security Bulletin.

The vulnerabilities affected the IE 9 browser running on every supported version of Windows. However, earlier versions of Internet Explorer were not affected, nor was IE 10, the latest version of Microsoft's popular web browser.

Microsoft blog post

Microsoft has described the security vulnerabilities as caused by a flaw in the way that IE 9 accesses an object that has been deleted or not correctly initialized. It affects three Internet Explorer components, named CFormElement, CTreePos and CTreeNode.

Attackers could exploit the so-called "use after free" vulnerabilities using a variety of techniques: websites, malicious ActiveX controls embedded in an application or Office document or malicious advertisements displayed on legitimate sites.

Attacks would still require users to click on the malicious content, and the attackers would be limited by the victim's permission levels on his or her own machine.

As we noted in our coverage of the November Patch Tuesday release, "use after free" bugs happen when software gives back memory to the operating system in order to free up resources it no longer needs, but then carries on using that memory anyway.

The update closes the security holes. Microsoft said that most IE9 users will get the upgrade automatically using Microsoft's Automatic Update feature. (A description of how to configure automatic updates can be found in a Microsoft knowledgebase article.)

Those who haven't enabled the Auto Update feature were advised to use the Microsoft Update service to download and install it.

The IE 9 update was released on Tuesday, one of six security bulletins released with Microsoft's monthly security patch release.


, , ,

You might like

2 Responses to Microsoft pushes IE 9 tweak via Windows Update to close three critical security holes

  1. I'm gonna go ahead and recommend that instead of installing the latest IE9 patch, Windows 7 users upgrade to the recently-released IE10 preview. In spite of not being a final version, it seems to be generally faster, more accurate, and more secure than the current release of IE9, in addition to having greater support for many HTML5 and CSS3 features. Windows 8 includes IE10 by default.

  2. roy jones jr · 518 days ago

    The good news is that I have seen Internet Explorer 9 (in combination with Windows 7) fend off more attacks than the previous version. Im stunned actually that the updates aren't like 50files at a time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.