As anticipated, Microsoft on Tuesday released nine security patches, three of which seal critical holes in the software giant's streaming media software architecture, widely used Internet Explorer Web browser and other key operating-system components.
Among the most severe is the update for a COM object instantiation memory corruption flaw in Internet Explorer. Microsoft planned to issue the update last month, but withdrew it at the last moment for more testing.
This fix, which covers Windows operating systems ranging back as far as Windows 98, prevents intruders from gaining remote control via a malicious Web page that manipulates the way the IE Web browser instantiates COM objects not intended for such use.
Another update fixes an unchecked buffer in Windows' DirectShow application, used for capturing and view streaming media on Microsoft Windows systems with and without video and audio acceleration. It is also integrated with DirectX technologies and is used for DVD players, MP3 players, digital video capture software and other popular media downloads.
If exploited, an attacker can remotely take over an affected system and install programs, change or delete data or create new accounts with full user rights. The flaw primarily targets the following workstation and desktop combinations:
The update removes the vulnerability by modifying the way DirectShow validates the length of a message before passing it to the allocated buffer.
The third critical update patches vulnerabilities with Microsoft Distributed Transaction Coordinator (MSDTC) service and COM+ service to prevent remote control and privilege escalation by attackers. In addition, the same patch seals important, but not critical, holes in the TIP. Among the affected OS versions are Windows XP with SP1 and SP2, and multiple flavors of Windows Server 2003. "These patches resolve a number of critical client-side vulnerabilities that may be used to install malicious software or potential security risks such as spyware and adware on end-user computers," said Oliver Friedrichs, senior manager for Symantec Security Response, in a prepared statement. "Symantec recommends that users apply the updates as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via email or instant messages."
Other patches released Tuesday include:
- A fix for a moderate flaw in the Windows FTP Client that could allow file transfer location tampering. Impacted systems include Windows XP and XP with SP1; Windows Server 2003 and Server 2003 with Itanium-based systems; and Internet Explorer, with SP1 installed, running on certain Windows 2000 machines.
- A patch for a moderate vulnerability in Network Connection Manager that could allow a denial of service. Affected software includes: Microsoft Windows 2000 Service Pack 4; Microsoft Windows XP SP1 and Microsoft Windows XP SP2; and Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1.
- An "important" fix for a hole in the client service for NetWare that could allow machines to be remotely controlled. The same software as listed for the Network Connection Manager flaw is impacted by this vulnerability.
- An "important" security update for a flaw in Windows' Plug and Play that allows remote code to be executed and also allows elevated privilege. Microsoft Windows 2000 SP4, Windows XP SP1 and Windows XP SP2 specifically are included.
- Another important update to fix a flaw in Microsoft Collaboration Data Objects that could allow remote code execution.
- Vulnerabilities in Windows Shell that could allow an attacker to run remotely executed code.