Microsoft patches critical IE, Silverlight drive-by bugs

Fixes 23 flaws, including one that also affects Mac users running Silverlight plug-in

Microsoft today shipped eight security updates that patched 23 vulnerabilities in Windows, Internet Explorer (IE), .Net Framework, Silverlight and other bits in its portfolio.

Two of the updates were labeled "critical," Microsoft's most-serious threat ranking, while the other six were rated "important," the next-most-severe tag.

All but eight of the vulnerabilities -- which were tagged to IE -- affected one or more editions of Microsoft's client or server versions of Windows. Of the 23 total bugs, nine were rated critical, 13 were pegged important and one was marked "moderate."

The two critical updates -- MS11-081 for IE, and MS11-078 for .Net and Silverlight -- were the two called out by Microsoft and consistently by outside researchers as the pair to apply first.

"It's no surprise that IE is at the top of the list," said Storms. Microsoft typically patches its browser every other month, and last updated IE in August.

One of the eight critical vulnerabilities in the IE update affected just IE9, which shipped last March. Microsoft has patched IE9 before today, but this is the first it's needed to fix a flaw specific to only that edition.

The IE9-only vulnerability is in that edition's version of a JavaScript DLL (dynamic link library) used by that browser.

As usual, the IE vulnerabilities could be exploited by hackers with a classic "drive-by download" style of attack simply by convincing users to steer for a malicious website.

Other researchers agreed that MS11-081 should be deployed immediately. "Every time you see one of these [IE] updates, you need to patch them immediately," said Jason Miller, of VMware's research and development team.

The second consensus top-pick was the update for .Net -- a Windows-centric software framework -- and Silverlight, a Microsoft application framework for content-intensive websites and online applications.

Like the IE update, MS11-078 can be exploited by attackers who dupe users into visiting a malicious website. Worse, the flaw could be exploited by hackers targeting not just IE users, but Mac owners running a browser with the Silverlight plug-in, or Windows users running the plug-in within Apple's Safari, Google's Chrome or Mozilla's Firefox.

"By my reading of the bulletin, it's cross-browser and cross-platform," said Miller.

Microsoft updated its Mac Silverlight plug-in separately; users should immediately download and install the newest version from the Silverlight website.

Storms highlighted MS11-078 if only because of its novelty. "We're used to the IE bugs, but [MS11-078] has three different attack vectors, and the Web hosting one has high potential for exploitation," Storms said.

"If a Web hosting environment allows users to upload custom ASP.NET applications, an attacker could upload a malicious ASP.NET application that uses this vulnerability to break out of the sandbox used to prevent ASP.NET code from performing harmful actions on the server system," said Microsoft in its accompanying bulletin.

Storms said he could see attackers try to leverage that to compromise servers at an Internet service provider (ISP).

Microsoft also returned to the "DLL load hijacking" well this month, Miller and Storms both noted. DLL load hijacking, sometimes called "binary pre-loading," describes a class of bugs first revealed in August 2010. Microsoft has been patching its software to fix the problem -- which can be exploited by tricking an application into loading a malicious file with the same name as a required dynamic link library, or DLL -- since last November.

So far, said Miller, Microsoft has released 17 security updates to fix DLL load-hijacking issues in its software.

Today's additions patched Windows Media Player and an accessibility component meant to make Windows usable by the disabled.

Miller reminded users that Microsoft published a tool more than a year ago that blocks attacks based on DLL load hijacking.

October's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services. The sole exception is MS11-079, which must be manually downloaded from the company's download center.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is

See more articles by Gregg Keizer.

metatag data

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon