Microsoft patches critical IE, Windows flaws

The software giant also addressed security holes in Outlook Express and the Exchange, ISA and Small Business servers.

Microsoft urged IT administrators to quickly install the 10 security updates it handed down Tuesday for critical flaws in Internet Explorer and Windows, plus smaller vulnerabilities in some of its server products. Attackers could use the worst of these to install programs; view, change or delete data; or create new accounts with full user rights.

Which updates deserve the most urgency? Brian Grayek, CTO of Carlsbad, Calif.-based security firm Preventsys, said network managers should always be concerned when a flaw affects Windows, Internet Explorer or Exchange Server.

"Immediately you think of impact and severity -- how badly it can penetrate your environment," he said. "You always want to be on top of any vulnerability that affects your operating system, browser or mail server."

Mitchell Ashley, CTO of Colorado security firm StillSecure, agreed. "Since so many people use IE, the chances are much greater that they'll be exploited," he said. "The PNG and XML flaws [in Internet Explorer] should definitely be at the top of any IT manager's priority list."

Here's a breakdown of this month's security updates, in order of criticality:

Three critical flaws for IE, Windows
The first critical update fixes two security holes in Internet Explorer.

One flaw is in how the browser handles PNG images. "An attacker could exploit the vulnerability by constructing a malicious PNG image that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Another flaw is in how the browser handles certain requests to display XML content. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially lead to information disclosure if a user visited a malicious Web site or viewed a malicious e-mail message," Microsoft said. "An attacker who successfully exploited this vulnerability could read XML data from another Internet Explorer domain." A successful attacker could also install programs; view, change or delete data; or create new accounts with full user rights.

The second update fixes a flaw in HTML Help attackers could exploit to install programs; view, change or delete data; or create new accounts with full user rights.

The third update fixes a flaw in Server Message Block (SMB) attackers could exploit to install programs; view, change or delete data; or create new accounts with full user rights.

Four important flaws affect Windows, Exchange Server, Outlook Express
The first "important" update fixes a glitch in how Windows processes Web Client requests. Attackers could exploit this to install programs; view, change or delete data; or create new accounts with full user rights.

The second fixes a cross-site scripting vulnerability in Outlook Web Access for Exchange Server 5.5. Attackers could exploit this to trick users into running a malicious script.

The third fixes a security hole that opens in Outlook Express when it's used as a newsgroup reader. "An attacker could exploit the vulnerability by constructing a malicious newsgroup server that could allow remote code execution if a user queries the server for news," Microsoft said. "An attacker who successfully exploited this vulnerability could install programs; view, change or delete data; or create new accounts with full user rights."

The fourth fixes a flaw in how the Step-by-Step Interactive Training program handles bookmark link files. "An attacker could exploit the vulnerability by constructing a malicious bookmark link file that could potentially allow remote code execution if a user visited a malicious Web site or opened a malicious attachment that was provided in an e-mail message," Microsoft said. "An attacker who successfully exploited this vulnerability could install programs; view, change or delete data; or create new accounts with full user rights."

Three moderate flaws in Windows, Small Business Server

The first moderate update fixes a Windows-based flaw attackers could exploit to spoof trusted Internet content. "Users could believe that they are accessing trusted Internet content," Microsoft said. "However, they are accessing malicious Internet content such as a malicious Web site."

The second fixes a flaw in Windows attackers could exploit to read the session variables for users who have open connections to a malicious telnet server.

The third addresses flaws in Internet Security and Acceleration (ISA) Server 2000 Service Pack 2, Small Business Server 2000 and Small Business Server 2003 Premium Edition.

One vulnerability is in how ISA Server 2000 handles malformed HTTP requests. "An attacker could exploit the vulnerability by constructing a malicious HTTP request that could potentially allow an attacker to poison the cache of the affected ISA server," Microsoft said. "As a result, the attacker could either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. Additionally, an attacker could use this in combination with a separate Cross Site Scripting vulnerability to obtain sensitive information such as logon credentials."

Another problem is an elevation of privilege flaw in ISA Server 2000 attackers could exploit to create a NetBIOS connection with an ISA Server using the NetBIOS [all] predefined packet filter. The attacker would be limited to services that use the NetBIOS protocol running on the affected ISA Server, Microsoft said.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close