Internet Explorer cumulative security update
Report ID: S201110007
Date Published: 12 October 2011
Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote
Affected Product/Component:
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Summary
A cumulative security update for Internet Explorer has been released to address eight reported vulnerabilities, each of which could lead to remote code execution.
Detailed Description
Microsoft has released a cumulative security update for Internet Explorer, which affects IE6 to IE9. The update rolls out fixes for eight reported vulnerabilities which could allow a remote attacker to execute arbitrary code and take control of an affected system.
The eight reported vulnerabilities are as follow:
- Scroll event remote code execution vulnerability (CVE-2011-1993)
Option element remote code execution vulnerability (CVE-2011-1996)
OnLoad event remote code execution vulnerability (CVE-2011-1997)
Body element remote code execution vulnerability (CVE-2011-2000)
When IE attempts to access a deleted object, it could lead to memory corruption in such a way that the attacker could execute code in the context of the logged-on user. - OLEAuto32.dll remote code execution vulnerability (CVE-2011-1995)
Jscript9.dll remote code execution vulnerability (CVE-2011-1998)
When IE attempts to access an object that has not been initialized, it could lead to memory corruption in such a way that the attacker could execute code in the context of the logged-on user. - Select element remote code execution vulnerability (CVE-2011-1999)
When IE attempts to access a dereferenced memory address, it could lead to memory corruption in such a way that the attacker could execute code in the context of the logged-on user. - Virtual function table corruption remote code execution vulnerability (CVE-2011-2001)
When IE attempts to access a corrupted virtual function table, it could lead to memory corruption in such a way that the attacker could execute code in the context of the logged-on user.
The vulnerabilities mentioned above have been addressed in the update through modification in the way IE handles objects in memory, and the way IE allocates and accesses memory. Users are recommended to apply the latest update to protect their system from potential exploit.
CVE Reference
CVE-2011-1993, CVE-2011-1995, CVE-2011-1996, CVE-2011-1997, CVE-2011-1998, CVE-2011-1999, CVE-2011-2000, CVE-2011-2001
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms11-081)
