Microsoft to Fix Internet Explorer Security Hole on Patch Tuesday

Microsoft is preparing to address 12 security vulnerabilities with December's Patch Tuesday update. Among the critical fixes is a security patch for a zero-day vulnerability affecting Internet Explorer 6 and 7.

Microsoft is planning to release six security bulletins for December's Patch Tuesday, including one to cover the recently disclosed zero-day vulnerability affecting Internet Explorer.

According to the prerelease advisory, three of the bulletins are rated critical. The remaining bulletins are rated important. All told, Microsoft will address 12 vulnerabilities in Windows, Internet Explorer and Microsoft Office products.

The Internet Explorer vulnerability, discussed by Microsoft in a security advisory, affects Internet Explorer 6 and 7. The vulnerability is an invalid pointer reference of IE. In certain situations, a CSS/Style object can be accessed after the object is deleted. In a specially crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code, Microsoft warned.

"The IE update maps to bulletin No. 4 in the ANS and will be at the top of our deployment priority list," blogged Jerry Bryant, security program manager for Microsoft Security Response Center. "The other critical update affecting Windows (bulletin No. 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft [Office] Project (bulletin No. 3) is only critical for Project 2000."

The updates are scheduled to become available Dec. 8.