Microsoft has patched an "important" Windows vulnerability attackers could use to launch malicious code. But recently revealed flaws in
"I was surprised that more [vulnerabilities] weren't addressed," said Mitchell Ashley, CTO of Louisville, Colo.-based StillSecure. "But I can see why they chose to fix this first. It's the issue that affects the widest group of users if exploited."
This month's update fixes a glitch in how certain HTML characters in preview fields are handled by the Web view in Windows Explorer. The problem affects Windows 2000 SP3 and SP4; Windows 98; Windows 98 Second Edition [SE]; and Windows Millennium Edition.
"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said in its bulletin. "An attacker could then install programs; view, change or delete data, or create new accounts with full user rights."
Ashley said this was probably deemed important and not critical because user action is required for an exploit to succeed. But IT administrators can't be complacent, he said.
"This affects a frequently used application in Windows, which is why IT administrators should take it seriously," he said. Besides, he added, "If your shop is the one attacked, they're all critical, are they not?"
Oliver Friedrichs, senior manager of Cupertino, Calif.-based Symantec Security Response, agreed. "It would be fairly easy for an attacker to create a malicious document that could compromise a system and circulate [it] through e-mail or Web sites," he said in a statement. "In order to combat this and other security risks, users should always avoid opening files from unknown sources or following links to unverified sites. In addition, all users should deploy Internet security solutions such as antivirus software and firewall technology."
Unaddressed vulnerabilities this month include one in the Jet Database Engine brought to light last month by security research organization HexView. Attackers could use a memory handling error in the program to launch malicious code. Danish security firm Secunia said the flaw is "highly critical" because exploit code has been posted to a public mailing list. Secunia confirmed the vulnerability on a fully patched system with Microsoft Access 2003 and Windows XP SP1/SP2.
Also unpatched are two vulnerabilities in Internet Explorer and Outlook reported by Aliso Viejo, Calif.-based eEye Digital Security in early April. The first "allows malicious code to be executed, contingent upon minimal user interaction," eEye said, adding that the problem affects Internet Explorer, Outlook and "additional miscellaneous titles." The second vulnerability has the same damage potential and also affects IE and Outlook.
Malware removal tool updated; new advisories unveiled
The software giant also updated its malware removal tool Tuesday and unveiled a new pilot offering called Microsoft Security Advisories. The advisories are meant to provide information and guidance for issues that may not warrant a bulletin but may still impact overall security, Microsoft said. Two such advisories have been released this month.
The first updates an earlier fix for Windows Media Player that addressed a flaw attackers could exploit to launch a malicious Web site without user interaction.
"This Web site could potentially then try and trick the user into downloading and executing malicious software add-ons, such as spyware," Microsoft said. "This social engineering attack abuses a by-design feature in Microsoft Windows Media Player Digital Rights Management [DRM] technology that requires users to have a license to play back a media file."
An update for Windows Media Player is now available that allows users to modify the functionality involving automatic license acquisition to help prevent such attacks, the company said, adding, "This update lets users configure Windows Media Player so they are prompted when the player accesses a Web page to acquire a license. This update is available immediately through the Microsoft Download Center for users of Windows Media Player 10, which requires Microsoft Windows XP, and for users of Windows Media Player 9 Series on Windows XP or on Windows 2000."
The second clarifies the SMTP Tar Pit feature for Exchange Server 2003 in Windows Server 2003 SP1.
"This feature was previously available from Microsoft Product Support Services (PSS) as an update. Microsoft does not require or recommend that all customers implement this feature," the advisory said. "It has been provided as an option for reducing the effectiveness of certain attacks that utilize standard features of the simple mail transfer protocol… By default, the tar pit feature is disabled."