Microsoft to fix IE CSS and Windows Graphics flaws


Microsoft announced on Thursday its bulletins for February 2011′s Patch Tuesday.

The software giant is planning to release 12 bulletins, three of them rated Critical and nine rated Important, to address issues in Windows, Internet Explorer, Office, Visual Studio and IIS. Microsoft also confirmed it will patch two important flaws in Internet Explorer and Windows on Patch Tuesday. Microsoft recently warned of a publicly disclosed flaw affecting the Windows Graphics Rendering Engine on Vista, Server 2003 and Windows XP. The vulnerability is caused when the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image, resulting in a stack overflow. Microsoft will be patching this vulnerability in February’s Patch Tuesday. Windows 7 is unaffected by the flaw.

Microsoft’s second un-patched vulnerability is a CSS issue with Internet Explorer. The issue is caused by a use-after-free error within the mshtml.dll library when processing webpages featuring CSS that use “@import” rules. Attacks can exploit the flaw by executing arbitary code via a specially crafted web page. The vulnerability affects Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3. Internet Explorer 6 and 7 are also affected on Windows XP SP3. Microsoft said on Thursday that it is planning to fix this vulnerability on Patch Tuesday.

Microsoft recently warned of an unpatched vulnerability in all supported versions of Windows. The vulnerability affects Windows XP, Vista, Windows 7 and all supported Windows Server releases. The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

Microsoft has not confirmed when it plans to address the recent Windows vulnerability. Angela Gunn of Microsoft’s Trustworthy Computing team says the company hasn’t ”seen any indications of active exploitation.” Microsoft is currently investigating the vulnerability and says it’s working on a security update to address the flaw.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.