It's patching time again for Microsoft users, after the software giant released "critical" fixes for Internet Explorer and Outlook Express last night.
First up there's a patch for Internet Explorer, designed to fix four critical vulnerabilities, the worst of which could allow crackers to inject arbitrary code onto a victim's machine.
The root cause of this problem is, as usual, a buffer overrun vulnerability. URLMON.DLL is the culprit, in this particularly case.
Exploit scenarios are all too familiar: a cracker would trick a user into visiting a maliciously constructed Web site, possibly using spam messages. The other three problems involve: a "moderate" vulnerability in the IE file upload control, a flaw in the way IE handles the rendering of third party files and a problem in the way "modal dialogs are treated by IE".
Users of IE 5.01, 5.5 and 6.0 are potentially affected by these issue, which are explained in much greater depth in Microsoft's advisory.
Separately, Microsoft issued a patch to correct a potentially devastating vulnerability with Outlook Express.
The problem, which affects OE 5.5 and 6.0, involves a flaw in how HTML is encapsulated in email messages. The upshot of this complex problem, explained in greater depth here, is that attackers might be able to launch locally stored programs if they were able to trick victims into visiting a maliciously constructed Web site.
That's the theory, anyway.
There's more information, and links to a patch for this critical problem, in Microsoft's advisory. ®