Microsoft Security Bulletin MS12-077 – Critical


This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 9 and Internet Explorer 10 on Windows clients including the Internet Explorer 10 Release Preview for Windows 7 and Windows Server 2008 R2, and Moderate for Internet Explorer 9 and Internet Explorer 10 on Windows servers. This security update has no severity rating for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update. For more information please see the full bulletin.

Microsoft Security Advisory (2755801) Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10

Microsoft is also releasing an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. For more information please see the full advisory.

Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

— Tyson Storey, Program Manager, Internet Explorer

Comments (24)

  1. @IE team says:

    Please release the formal version(final Version) early!

    @IE10 for Windows 7

  2. @@IE team says:

    Given that they're looking at doubtlessly tricky security issues, which might have knock-on effects or have related security concerns, I would say — don't listen to the peanut gallery, release when happy it's stable and secure.

  3. Walter says:

    I noticed that the "xMetro" Google app isn't a full Google Chrome browser but a wrapper around Internet Explorer.  Is this because Microsoft has locked out alternative browsers from installing in xMetro?!  If so why has Microsoft stopped quality apps from being developed/distributed through the windows store?

    Is the European Commision ok with this? It seems to be a major deviation from respecting user wishes about letting them select the best browser for themselves.

  4. Daryl says:

    Please set a good example in IE10 by publishing quality code.

    When IE10 displays a "This page can't be displayed" error the markup is full of sloppy code.

    [body onLoad="javascript:getInfo();"]

    http://pastebin.com/kZ3GCpv9

    Why is Microsoft still pushing ugly camelcase markup to the browser?!

    Why is Microsoft using the "javascript:" protocol on inline event handlers that can only run script?!

    Lead by example please!

  5. Devil says:

    IE 10 will never be finished. Hahaha…

  6. Yannick says:

    @Walter – Quality apps? What has that to do with Chrome? Anyway, no, Microsoft doesn't, but when you develop an app for Windows 8 that has the functionality to go on the web, it just uses Trident 6 (in this case). Otherwise, you need to install another engine in the desktop mode. Anyway, nothing wrong with Trident…

  7. Jane says:

    A Quick video showing what everyone was searching for on Google in 2012:

    http://www.google.com/…/2012

    This is specifically for the MS Troll in the last post that was in love with Bing.

  8. A brittle report says:

    Microsoft refuses to patch IE mouse tracking flaw that is currently being exploited

    http://www.neowin.net/…/microsoft-refuses-to-patch-ie-mouse-tacking-flaw-that-is-currently-being-exploited

    ——————————————————————————————————-

    Please correspond, not neglect but while it is early.

  9. Richard Cox says:

    I'm running IE10 preview on 2008R2SP1, but no sign of KB2761465 in Windows Update.

    Is there a separate download available (as there is for other combinations of Windows and IE from technet.microsoft.com/…/ms12-077)? Or do I need to just wait for the preview patch to be pushed to Windows Update?

    (All the other patches released on Tuesday appear to have come through without issue on that machine.)

  10. Mitch says:

    @Jane, aka Google Troll. Don't try too hard. Everybody knows Google is going nowhere with its pathetic products.

    Microsoft wins always!

  11. Tyrone says:

    @Mitch you're a funny one….

    Miceosoft does make some brillant (sic) products like:

    Zune (dead)

    Windows CE (dead)

    Bob (dead)

    IE (dying)

    Windows 8 (commercial failure)

    Windows RT (DOA due to zero support)

    Windows Phone (Crickets…..)

  12. Richard Cox says:

    Found the download for 2008 R2. Still not linked from the MS12-077 KB or Security Bulletin pages (latter says Windows Update only, where it is still not found).

    But: http://www.microsoft.com/…/details.aspx works.

  13. yuhong2 says:

    Missing mshtml.pdb for this update for IE10RP for Win7 again:

    SYMSRV:  msdl.microsoft.com/…/4742F1D4C4E1417D8

    A17A7776396FAC12/mshtml.pdb not found

  14. PhistucK says:

    @Dennis -

    There are a lot of Microsoft products that were not mentioned in the list that Tyrone provided. Live Mesh and (recently) Windows Live Mesh come to mind. Every company kills a lot of products. Not only Google and not only Microsoft.

    Your points are pretty obsolete as it is.

    @Daryl -

    In Internet Explorer 9 and below, there are two scripting languages – VBScript and J(ava)Script, so this is probably just legacy code that was not touched as part of a "if it is not broken, do not fix it" attitude that all of us employ.

    (However, of course, I agree that the browser should employ best practices in its code.)

  15. Dennis says:

    @PhistucK,, nice try bashing against MSFT corporation again. Did they eat your lunch or what? Why you all bashers are using their products for decades and still whining like *lil britches*. Damm son!

    Live Mesh is superseded by SkyDrive. You can read more about it blogs.windows.com/…/update-on-windows-live-mesh.aspx

    Your lame arguments stinks as it is.

    For JavaScript, lets try the real deal here: ECMA is the official body for JavaScript standards (en.wikipedia.org/…/Ecma_International). Here is their latest official test-bed http://test262.ecmascript.org/

    Run it on your beloved browser and then IE10 and compare the results.

    Honestly, if you have a little sense of justice.. its time to move on to your god Google/Mozilla/Apple blogs and start whining there.

    And please don't come back here.

    /kill-trolls

  16. PhistucK says:

    @Dennis -

    Live Mesh/Windows Live Mesh are announced to be superseded by SkyDrive, but SkyDrive does not provide the same functionality (Remote Desktop is not there, for example). Again, the point you and Tyrone were trying to make is irrelevant here.

    The fact that Internet Explorer fails the least in these tests does not say a lot. Every browser vendor chooses its investments according to its interests.

    I am not saying Internet Explorer, or Microsoft, are crap. I was not even bashing.

    (Perhaps "Your points are pretty obsolete as it is." was a bad way to put it and it made you angry – "points" referred to the points you and Tyrone (together) were trying to make.)

  17. Dennis says:

    @PhistucK,

    The aforementioned blog post IS about the feature set of Mesh vs the feature set of SkyDrive. There is a heading called "Remote desktop". Should you have read it, you won't be raising that point. But its very typical to ignore the read and jump in for the lame debate just to prove your point.

    "Again, the point you and Tyrone were trying to make is irrelevant here"

    No this is exactly the point. You aim is to cuss, step away and leave the impression as if all your claims are valid.

    You know what else is typical? You 'think" or you are trying the reader to think that you aren't bashing, but the reality is opposite. Being smart and manipulative don't last forever.

  18. PhistucK says:

    @Dennis -

    I have read it when it was posted. Specifically that part, actually.

    Remote Desktop is a Windows feature. It is not part of SkyDrive and it is not as simple as Live Mesh (I have not tried Windows Live Mesh) was to set up. The second offered alternative (LogMeIn) is not even a Microsoft product.

    What was it about ignoring the read, you said?

  19. Dennis says:

    @PhistucK,

    "Remote desktop is a Windows feature"

    so it is not supposed to be present in cloud application. And what are you saying, RDC is not "simple"? You stupid trolling ***! its as simple as you can bet your ass. Just type your IP address or computer name and hit enter. If your IP address is shared, use dynamic DNS.

    Plus SkyDrive has more advanced features, you can access your computer remotely via web and save *any* file in your Computer drives (including attached USBs and CDs/DVDs) to SD or download on remote computer.

    "I have not tried Windows Live Mesh"

    then what the *** you are whining about you clingy lil ***?

  20. PhistucK says:

    @Dennis -

    Please, keep it civilized. I have not attacked you in any way.

    I meant that the Remote Desktop Connection software (mstsc.exe) is part of Windows.

    Yeah, right – simple is the word for what you just described. IP addresses… everyone knows what they are. Dynamic DNS… simply common knowledge. And that check box that enables Remote Desktop/Assistance in System Properties – everyone ticks it.

    As opposed to logging into (…) Mesh, installing whatever and clicking on a button. Simpler for the normal user, less technical and more discover-able, I would say.

    (I tried Live Mesh, not Windows Live Mesh.)

    I think this discussion is over (not because I think I "won" or anything. I do not think that way, it is just completely off topic here).

  21. Dennis says:

    @PhistucK, bitching about irrelevant stuff on open blog is not civilized either. You started this mess.. so don't be an oversensitive prickk

    Now, you think "you win"?

    Installing Mesh and keep it running as compared to preinstalled RDC.

    You just need to remember your computer name or URL.

    RDC connection always works faster, compared to Mesh or TeamViewer.

    Remembering the name (or address) of your computer vs. all the trouble.. your think its pretty trivial.. just to prove your point.

  22. Jessica says:

    @Dennis – your behavior is atrocious – please stay off this blog unless you can control your childish behavior

  23. mary says:

    I do not understand why?.