Two of three security bulletins Microsoft issued Tuesday address "critical" Windows security holes an attacker could use to take over computers and install programs; view, change or delete data; or create new accounts with full privileges.
Security experts said users should install patches immediately since attackers have already had their way with some of the vulnerabilities, most notably one involving the HTML Help ActiveX control.
"The issues in the critical bulletins are the ones you'll see exploited through Web sites, mass-mailing worms and bots," said Mike Murray, director of vulnerability and exposure research for San Francisco-based security firm nCircle. "Just about all the major Windows programs are affected. The time to patch was yesterday. Until you do so, everything is open to immediate exploit. You also want to be very aware of the pages you're going to on the Internet. Be wary of unfamiliar e-mails."
Sunil James, who runs the Vulnerability Aggregation Team at Reston, Va.-based security firm iDefense, agreed. "The [HTML Help ActiveX control flaw] stands out in particular," he said. "Patch this one up quickly, if possible."
James said the vulnerability first came to light in October and that a number of exploits have been released since then. "We considered this vulnerability to be of significant importance, considering the quickness with which these exploits were developed, and the fact that the December holidays were fast approaching … a ripe time for hackers to exploit vulnerabilities, considering that many system administrators are away on vacation."
Thor Larholm, senior security researcher with Newport Beach, Calif.-based security firm PivX Solutions, noted that one exploit, the Phel Trojan horse, did strike in late December. "Some of what's addressed in this month's bulletins is new," he said. "But some of it's very old, dating back to 2000."
The first bulletin fixes the already-exploited vulnerability in the HTML Help ActiveX control. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."
The flaw affects Windows Server 2003, Windows 98, ME, 2000 and XP, including Service Pack 2. Windows NT 4.0 is also affected if Internet Explorer 6.0 SP1 has been installed.
The second addresses two critical flaws in how cursor, animated cursor and icon formats are handled. The first is a remote code execution vulnerability; the second a denial-of-service flaw.
Of the first issue, Microsoft said: "An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
The second problem would be exploited in the same manner, but "could potentially cause the operating system to become unresponsive. The operating system would have to be restarted to restore functionality," Microsoft said.
These affect Windows 98, ME, NT, 2000, XP and Server 2003.
The third advisory addresses an "important" vulnerability in how the Indexing Service handles query validation. "An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial-of-service condition."
This affects Windows 2000, XP (but not SP2), and Windows Server 2003.