Freigeben über


Microsoft Security Bulletin MS12-077 – Critical

This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 9 and Internet Explorer 10 on Windows clients including the Internet Explorer 10 Release Preview for Windows 7 and Windows Server 2008 R2, and Moderate for Internet Explorer 9 and Internet Explorer 10 on Windows servers. This security update has no severity rating for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update. For more information please see the full bulletin.

Microsoft Security Advisory (2755801)Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10

Microsoft is also releasing an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. For more information please see the full advisory.

Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

— Tyson Storey, Program Manager, Internet Explorer

Comments

  • Anonymous
    December 11, 2012
    Please release the formal version(final Version) early! @IE10 for Windows 7

  • Anonymous
    December 11, 2012
    Given that they're looking at doubtlessly tricky security issues, which might have knock-on effects or have related security concerns, I would say -- don't listen to the peanut gallery, release when happy it's stable and secure.

  • Anonymous
    December 11, 2012
    I noticed that the "xMetro" Google app isn't a full Google Chrome browser but a wrapper around Internet Explorer.  Is this because Microsoft has locked out alternative browsers from installing in xMetro?!  If so why has Microsoft stopped quality apps from being developed/distributed through the windows store? Is the European Commision ok with this? It seems to be a major deviation from respecting user wishes about letting them select the best browser for themselves.

  • Anonymous
    December 12, 2012
    Please set a good example in IE10 by publishing quality code. When IE10 displays a "This page can't be displayed" error the markup is full of sloppy code. [body onLoad="javascript:getInfo();"] http://pastebin.com/kZ3GCpv9 Why is Microsoft still pushing ugly camelcase markup to the browser?! Why is Microsoft using the "javascript:" protocol on inline event handlers that can only run script?! Lead by example please!

  • Anonymous
    December 12, 2012
    IE 10 will never be finished. Hahaha...

  • Anonymous
    December 12, 2012
    @Walter - Quality apps? What has that to do with Chrome? Anyway, no, Microsoft doesn't, but when you develop an app for Windows 8 that has the functionality to go on the web, it just uses Trident 6 (in this case). Otherwise, you need to install another engine in the desktop mode. Anyway, nothing wrong with Trident...

  • Anonymous
    December 12, 2012
    A Quick video showing what everyone was searching for on Google in 2012: www.google.com/.../2012 This is specifically for the MS Troll in the last post that was in love with Bing.

  • Anonymous
    December 12, 2012
    The comment has been removed

  • Anonymous
    December 12, 2012
    I'm running IE10 preview on 2008R2SP1, but no sign of KB2761465 in Windows Update. Is there a separate download available (as there is for other combinations of Windows and IE from technet.microsoft.com/.../ms12-077)? Or do I need to just wait for the preview patch to be pushed to Windows Update? (All the other patches released on Tuesday appear to have come through without issue on that machine.)

  • Anonymous
    December 12, 2012
    @Jane, aka Google Troll. Don't try too hard. Everybody knows Google is going nowhere with its pathetic products. Microsoft wins always!

  • Anonymous
    December 13, 2012
    @Mitch you're a funny one.... Miceosoft does make some brillant (sic) products like: Zune (dead) Windows CE (dead) Bob (dead) IE (dying) Windows 8 (commercial failure) Windows RT (DOA due to zero support) Windows Phone (Crickets.....)

  • Anonymous
    December 14, 2012
    Found the download for 2008 R2. Still not linked from the MS12-077 KB or Security Bulletin pages (latter says Windows Update only, where it is still not found). But: www.microsoft.com/.../details.aspx works.

  • Anonymous
    December 14, 2012
    Missing mshtml.pdb for this update for IE10RP for Win7 again: SYMSRV:  msdl.microsoft.com/.../4742F1D4C4E1417D8 A17A7776396FAC12/mshtml.pdb not found

  • Anonymous
    December 15, 2012
    @Dennis - There are a lot of Microsoft products that were not mentioned in the list that Tyrone provided. Live Mesh and (recently) Windows Live Mesh come to mind. Every company kills a lot of products. Not only Google and not only Microsoft. Your points are pretty obsolete as it is. @Daryl - In Internet Explorer 9 and below, there are two scripting languages - VBScript and J(ava)Script, so this is probably just legacy code that was not touched as part of a "if it is not broken, do not fix it" attitude that all of us employ. (However, of course, I agree that the browser should employ best practices in its code.)

  • Anonymous
    December 15, 2012
    The comment has been removed

  • Anonymous
    December 15, 2012
    The comment has been removed

  • Anonymous
    December 15, 2012
    The comment has been removed

  • Anonymous
    December 15, 2012
    @Dennis - I have read it when it was posted. Specifically that part, actually. Remote Desktop is a Windows feature. It is not part of SkyDrive and it is not as simple as Live Mesh (I have not tried Windows Live Mesh) was to set up. The second offered alternative (LogMeIn) is not even a Microsoft product. What was it about ignoring the read, you said?

  • Anonymous
    December 15, 2012
    The comment has been removed

  • Anonymous
    December 15, 2012
    The comment has been removed

  • Anonymous
    December 15, 2012
    The comment has been removed

  • Anonymous
    December 16, 2012
    @Dennis - your behavior is atrocious - please stay off this blog unless you can control your childish behavior

  • Anonymous
    December 17, 2012
    none

  • Anonymous
    December 17, 2012
    I do not understand why?.