Microsoft Patches IE, Outlook Flaws

Both vulnerabilities, deemed critical, could allow an attacker to execute arbitrary code on a user's system.

Microsoft Corp. issued patches Wednesday afternoon for a series of newly discovered vulnerabilities in Internet Explorer and Outlook Express.

Both patches are for vulnerabilities deemed critical, according to Microsofts official postings. Both could result in an attacker being able to execute arbitrary code on a users system, according to Microsft TechNet.

In the case of IE, the patch closes four new holes including: a buffer overrun vulnerability in URLMON.DLL; a vulnerability in IEs file upload control; a flaw in the way IE handles third-party file rendering; and a flaw in the way modal dialogs are treated by IE.

Of the four, the buffer overrun is the most troubling as it could allow an attacker to run code on a users system if the user were lured to an attackers Web site, officials said. The other vulnerabilities could also result in a compromise of the users machine either through a malicious Web site or through a specially crafted HTML e-mail message.

The Outlook Express vulnerability could allow an attacker to control a users machine through a MHTML (MIME Encapsulation of Aggregate HTML) URL, either on a Web site or embedded in an HTML e-mail, officials cautioned. The vulnerability exists in Outlook Express MHTML URL Handler that allows any file that can be rendered as text to be opened and rendered as part of a page in Internet Explorer.

"As a result, it would be possible to construct a URL that referred to a text file that was stored on the local computer and have that file render as HTML. If the text file contained script, that script would execute when the file was accessed. Since the file would reside on the local computer, it would be rendered in the Local Computer Security Zone. Files that are opened within the Local Computer Zone are subject to fewer restrictions than files opened in other security zones," Microsoft officials wrote.

Patches for the two critical vulnerabilities are available on the Microsoft site for Internet Explorer and Outlook Express.

Latest Microsoft News:

Latest Security News:

For more Microsoft scoops, check out Ziff Davis Microsoft Watch.