Alert - Microsoft Releases Security Bulletin (Out-of-Band) to Address Vulnerabilities in Adobe Flash Player in Internet Explorer 10
Today, Microsoft released MS12-063 to protect customers against the issue described in Security Advisory 2757760. The security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Microsoft encourages customers to test and deploy the update as soon as possible.
What is the purpose of this alert?
This alert is to provide you with an overview of the new security bulletin being released (out of band) on September 21, 2012, for new vulnerabilities in Internet Explorer.
Microsoft is also releasing one new security advisory today for Adobe Flash Player in Internet Explorer 10 on Windows 8 and Windows Server 2012.
New Security Bulletin
Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:
Microsoft Security Bulletin MS12-063
Cumulative Security Update for Internet Explorer (2744842)
This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2757760.
Severity Ratings and Affected Software
- This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients.
- This security update is rated Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers.
- Internet Explorer 10 is not affected.
- An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
- The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability.
- An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this vulnerability for more information about Internet Explorer Enhanced Security Configuration.
This update requires a restart.
Bulletins Replaced by This Update
New Security Advisor
Microsoft published one new security advisory on September 21, 2012. Here is an overview of this new security advisory:
Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
Internet Explorer 10 on Windows 8 and Windows Server 2012
Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10.
Public Bulletin Webcast
Microsoft will host a webcast to address customer questions on the new security bulletin:
- Title: Information About Microsoft's September 2012 Out-of-Band Security Bulletin Release
- Date: Friday, September 21, 2012, 12:00 P.M. Pacific Time (U.S. and Canada)
- URL: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032529852
Resources related to this alert
Security Bulletin MS12-063 –Cumulative Security Update for Internet Explorer (2744842): http://technet.microsoft.com/security/bulletin/MS12-063
- Security Advisory 2757760 –Vulnerability in Internet Explorer Could Allow Remote Code Execution: http://technet.microsoft.com/en-us/security/advisory/2757760
- Security Advisory 2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10: http://technet.microsoft.com/en-us/security/advisory/2755801
- Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
- Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
- Security Notification Service: http://technet.microsoft.com/en-us/security/dd252948.aspx: email regarding these security bulletins has been sent to IT professionals who have subscribed to receive this notification (both Basic and Comprehensive).
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in
an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.