COM object instantiation memory corruption and mismatched DOM objects memory corruption vulnerabilities were deemed critical in all versions of IE except IE 6 for Windows Server 2003.
Left unpatched, the vulnerabilities could allow an attacker to take complete control of the user's PC, though the user would first have to visit a Web site or open an e-mail message containing the exploit.
The moderate IE flaws deal with a manipulation vulnerability in the file download dialog box and a vulnerability in the HTTPS proxy.
The second security bulletin, MS05-055, is a fix to the Windows kernel that, left unchecked, would give the attacker elevation of privilege permissions on the computer, such as administrator rights.
Because the attacker would have to log on to a machine with a valid login and run a program locally, the security bulletin was rated "important," rather than "critical."
The vulnerability is a flaw in the asynchronous procedure call (APC) function in Windows 2000 Service Pack 4, reported by security firm eEye Digital Security in May. Security experts said that while in and of itself the vulnerability is important, its use in a blended attack — such as an e-mail worm or virus — makes it critical because it would give the attacker a remote means to take over the machine.
"This vulnerability is unusual in that it represents a growing trend of blended threats attackers are using to subvert systems remotely," Marc Maiffret, eEye co-founder and chief hacking officer, said in a statement. "These types of threats highlight the need for enterprises to focus on host-based solutions that enable them to make their networks zero-day immune."
A revised patch for MS05-50, originally released in October to plug a DirectShow vulnerability, was released today as well for customers using Windows 2000 Service Pack 4, Windows XP SP 1 and Windows 2003.
