Microsoft pushes IE 9 tweak via Windows Update to close three critical security holes

Microsoft pushes IE 9 tweak via Windows Update to close three critical security holes

Internet Explorer 9Microsoft has reminded Internet Explorer users of the importance of keeping their browser updated against security threats.

Microsoft said on Thursday that it had pushed an update to its Internet Explorer Version 9 web browser through its Windows Update feature earlier in the week in an effort to quickly close three, critical security holes.

If unpatched and exploited by cybercriminals, the vulnerabilities could allow an attacker to use a webpage to install and run malicious code on vulnerable systems.

The company announced the release of IE Version 9.0.11 via Windows Update in a blog post, and advised users of IE 9 to apply it immediately.

The update fixes security holes associated with the recently released MS12-071 Security Bulletin.

The vulnerabilities affected the IE 9 browser running on every supported version of Windows. However, earlier versions of Internet Explorer were not affected, nor was IE 10, the latest version of Microsoft’s popular web browser.

Microsoft blog post

Microsoft has described the security vulnerabilities as caused by a flaw in the way that IE 9 accesses an object that has been deleted or not correctly initialized. It affects three Internet Explorer components, named CFormElement, CTreePos and CTreeNode.

Attackers could exploit the so-called “use after free” vulnerabilities using a variety of techniques: websites, malicious ActiveX controls embedded in an application or Office document or malicious advertisements displayed on legitimate sites.

Attacks would still require users to click on the malicious content, and the attackers would be limited by the victim’s permission levels on his or her own machine.

As we noted in our coverage of the November Patch Tuesday release, “use after free” bugs happen when software gives back memory to the operating system in order to free up resources it no longer needs, but then carries on using that memory anyway.

The update closes the security holes. Microsoft said that most IE9 users will get the upgrade automatically using Microsoft’s Automatic Update feature. (A description of how to configure automatic updates can be found in a Microsoft knowledgebase article.)

Those who haven’t enabled the Auto Update feature were advised to use the Microsoft Update service to download and install it.

The IE 9 update was released on Tuesday, one of six security bulletins released with Microsoft’s monthly security patch release.