Microsoft yesterday warned users of two "moderate" Windows flaws that could be remotely exploited to launch a denial-of-service attack or wipe out data. But its monthly fixes don't cover two more holes found in its popular Web browser that could be used to compromise vulnerable machines.
IT security firm Secunia of Copenhagen, Denmark calls the vulnerabilities in Internet Explorer "extremely critical" and recommends users disable active scripting support for all but trusted Web sites.
"The safest thing the end user can do at this point is use an alternative browser when visiting Web sites they don't trust," said Thomas Kristensen, chief technology officer at Secunia. "These vulnerabilities require urgent action, but we'll be lucky if we see an update for this next month."
Secunia warned in its advisory that a variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files. Also, a cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone.
The safest thing the end user can do at this point is use an alternative browser when visiting Web sites they don't trust.
chief technology officerSecunia
The security holes have been confirmed in a fully patched system with Internet Explorer 6.0. For the vulnerabilities to be successfully exploited, a user must be tricked into following a link or view a malicious HTML document. The flaws are actively being exploited in the wild to install adware on users' systems, Secunia said.
A Microsoft spokesman issued a statement last night, saying, "Microsoft is investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer which can enable a malicious user to execute code on a computer system. The company is monitoring the situation closely (and) is committed to helping customers keep their information safe."
The statement didn't say how long it will take to issue a fix.
Of the two security bulletins the software giant released yesterday, MS04-016 focuses on a denial-of-service threat in the DirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. DirectPlay is shipped with Microsoft DirectX and allows video games and rich media such as video and other 3-D animation to be played on Windows-based computers. Patches for the affected software can be downloaded from the MS04-016 page.
MS04-017 focuses on a denial-of-service threat and potential for data loss in the Crystal Reports program produced by San Jose, Calif., software maker Business Objects and included in Outlook 2003 with Business Contact Manager, Visual Studio .NET 2003 and Microsoft Business Solutions CRM 1.2. The Outlook and Visual Studio patches can be downloaded from the MS04-017 page. The Business Solutions patch is available at the Business Objects Web site.
Security software maker Symantec of Cupertino, Calif., considers both vulnerabilities a "moderate" risk and recommends users apply the patches as soon as possible.
The latest advisories frustrate Chris Casey, a systems engineer and founder of IT services provider Northern Shore Technical Services of Salem, Mass. His gripe: The software giant is still issuing fixes for problems that should have been solved before the products reached the marketplace.
"These products aren't properly tested before release," Casey said. "The Windows 2000 problems we keep seeing should have been buttoned up a long time ago. I'm a firm believer in doing the job right the first time, but that isn't the case here."