Microsoft: "Consistent exploit code likely" for IE vulnerabilities

Microsoft today shipped four bulletins with patches for at least 8 documented security vulnerabilities affecting Windows users and warned that "consistent exploit code could be easily crafted" to launch attacks via the Internet Explorer browser. The Patch Tuesday batch includes fixes for a pair of code execution holes in IE, two bugs in the Microsoft Exchange Server, a remote code execution issue in the Microsoft SQL Server, and three separate flaws haunting users of Microsoft Office Visio. The Microsoft warning that consistent exploit code was likely suggests that it’s very easy for an attacker to host a specially crafted Web site and attack unpatched users who surfed to the rigged Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Windows Vista. For Internet Explorer 7 running on supported editions of Windows Server 2003 and Windows Server 2008, this security update is rated Moderate.

The Internet Explorer bulletin (MS09-002) should be treated with urgency because the flaws can be exploited to launch drive-by download attacks.

Read the entire article at ZDNET