“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer,” IE Product Manager Tyson Storey writes in a company blog post.
“An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user,” Storey continues. “Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.”
Microsoft considers this update “critical” for users of IE9 on Windows clients and “moderate” for those using it on Windows servers.
Users with Windows Update enabled will receive the upgrade automatically. If you want to update manually, you can do so using update management software or by using the Microsoft Update service.
Similar cumulative updates were pushed out by Microsoft in June and August.
The update addresses a number of non-security issues, too. For example, it fixes a problem with lost navigation when clicking a link on a web page that uses a custom pluggable protocol, such as notes:// or skype://.
It also fixes a problem users were having with Windows Live Mail and Windows Mail after installing IE9. (Users were finding that, after installing IE9, they were unable to change font sizes in those mail applications.)
While past versions of Internet Explorer have been criticized for security holes, IE9 is considered to be one of the most secure browsers on the market. A study in August, for example, found that the software offers Web surfers the best protection of any browser against social engineering malware.
NSS Labs researchers discovered that IE9 blocks malicious URLs over 99 percent of the time–compared with just 13.2 percent of the time for Google Chrome, 7.6 percent of the time for Firefox 4 and Safari 5, and 6.1 percent of the time for Opera 11.
Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.