Microsoft closes holes in Internet Explorer and Silverlight
As expected, Microsoft has released eight security bulletins to address a total of 23 vulnerabilities across a number of its products on its October Patch Tuesday. One update for Internet Explorer alone closes eight critical holes. An update for .NET and Silverlight closes another critical vulnerability that only requires victims to visit a specially crafted web page in order to infect their computers with malicious code. Microsoft says that this hole can also be exploited to compromise a server if an attacker has the ability to upload ASP.NET pages to an Internet Information Server (IIS) and execute them there.
The remaining updates are rated as important by Microsoft; they fix vulnerabilities in the Microsoft Active Accessibility and Windows Media Center components, in the Windows kernel, in the Host Integration Server, in the Windows Ancillary Function Driver and in the Forefront Unified Access Gateway (UAG). Although some of these holes also enable attackers to inject and execute code, they require more user interaction than those in Internet Explorer.
Microsoft has also released further patches to fix vulnerabilities that are based on "binary planting", an attack which involves causing Windows to load DLLs from shared network volumes without a user's permission. As with the previous Patch Tuesday, an updated version of the Microsoft Windows Malicious Software Removal Tool (MSRT) was released at the same time.
- Microsoft Security Bulletin Summary for October 2011, security bulletin from Microsoft.