Microsoft released another update for the Internet Explorer. It is supposed to fix some flaws that may occur after installing the cumulative update from the last Patchday, MS09-054. In a knowledgebase article Microsoft explains the issues that may arise:

- The offsetTop calculation for elements that are contained as children of scrolled elements may be reported incorrectly in Windows Internet Explorer 8

- You receive a VBScript “Type Mismatch” script error message in Internet Explorer after you install cumulative security update 974455

Fig. 1: The automatic windows update offers a new update for the Internet Explorer.

Though the Update is not critical, some users may experience the described problems with the last security update. Thus users should install the offered patch – which requires a reboot of the computer.

Dirk Knop
Technical Editor

As announced last week, Microsoft released two security bulletins out-of-band. They cope with critical vulnerabilities in all Internet Explorer Versions and with a flawed Active Template Library (ATL) for developers using Microsoft’s Visual Studio.

Due to the flaw in the ATL – which gets used to build ActiveX controls for example – it is possible to bypass the kill bit restrictions within the Internet Explorer (IE). Manipulated Websites thus can call ActiveX modules with security vulnerabilities and inject malware on affected computers. Microsoft now closes three security holes in IE and hardens it against abuse of the flaws introduced by the ATL.

The error is based on flaws within the ATL of Visual Studio. Thus components build with this development environment can be affected, too. Cisco for example released a security advisory and announces workarounds and updates for the Cisco Unity software. Expect other software developers to release updates soon, too.

Interestingly, according to Microsoft’s Security Bulletins, Windows 7 is not affected by these vulnerabilities.

Install the updates as soon as possible, and if you are a developer, rebuild your components with the new ATL. A knowledge-base article from Microsoft explains the issue for developers.

Dirk Knop
Technical Editor

Microsoft announced extraordinary updates for the Internet Explorer and for Visual Studio for this Tuesday to come. While the company rates the security issue in Visual Studio only as moderate, the IE-flaws – which also affect IE8 – are considered critical and allow for remote code execution.

Prepare for those updates as they are really critical and necessary if Microsoft decides to do an out-of-band release. Install them ASAP when available.

Dirk Knop
Technical Editor

In a security advisory Microsoft published yesterday the company warns of a critical error within an ActiveX component for the Internet Explorer. This DirectShow component provides video playback, record and capture capabilities. Due to the error it is possible for attackers to inject malicious software (well – malware, let’s name it!) into the computer – without user intervention, just by visiting a hacked website. We detect the exploiting JavaScript as “HTML/Shellcode.Gen”.

Microsoft reports also that this vulnerability gets exploited on the Internet already. There is no patch to close the security hole yet. Anyhow, the company provides a knowledgebase article with a “FixIt for me” workaround. This installer can be distributed in company networks as well as on home computers and disables the execution of the faulty component within the Internet Explorer. Make sure to execute it if you use any Windows flavour of Windows XP or Windows Server 2003!

Dirk Knop
Technical Editor