Home > Security News > Microsoft issues critical patches for IE, Windows apps
Security News:
EMAIL THIS

Microsoft issues critical patches for IE, Windows apps

By Anne Saita, News Director
11 Oct 2005 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

As anticipated, Microsoft on Tuesday released nine security patches, three of which seal critical holes in the software giant's streaming media software architecture, widely used Internet Explorer Web browser and other key operating-system components.

Among the most severe is the update for a COM object instantiation memory corruption flaw in Internet Explorer. Microsoft planned to issue the update last month, but withdrew it at the last moment for more testing.

This fix, which covers Windows operating systems ranging back as far as Windows 98, prevents intruders from gaining remote control via a malicious Web page that manipulates the way the IE Web browser instantiates COM objects not intended for such use.

Another update fixes an unchecked buffer in Windows' DirectShow application, used for capturing and view streaming media on Microsoft Windows systems with and without video and audio acceleration. It is also integrated with DirectX technologies and is used for DVD players, MP3 players, digital video capture software and other popular media downloads.

If exploited, an attacker can remotely take over an affected system and install programs, change or delete data or create new accounts with full user rights. The flaw primarily targets the following workstation and desktop combinations:

  • Systems running DirectX 8.1 on Microsoft Windows XP Service Pack 1
  • Systems running DirectX 7.0 on Windows 2000 with Service Pack 4
  • Systems running DirectX 7.0 on Microsoft Windows XP with Service Pack 2, as well as XP Professional x64, Windows Server 2003 -- with and without Service Pack 1 -- and older OSes such as Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME).

    The update removes the vulnerability by modifying the way DirectShow validates the length of a message before passing it to the allocated buffer.

    The third critical update patches vulnerabilities with Microsoft Distributed Transaction Coordinator (MSDTC) service and COM+ service to prevent remote control and privilege escalation by attackers. In addition, the same patch seals important, but not critical, holes in the TIP. Among the affected OS versions are Windows XP with SP1 and SP2, and multiple flavors of Windows Server 2003. "These patches resolve a number of critical client-side vulnerabilities that may be used to install malicious software or potential security risks such as spyware and adware on end-user computers," said Oliver Friedrichs, senior manager for Symantec Security Response, in a prepared statement. "Symantec recommends that users apply the updates as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via email or instant messages."

    Other patches released Tuesday include:

    • A fix for a moderate flaw in the Windows FTP Client that could allow file transfer location tampering. Impacted systems include Windows XP and XP with SP1; Windows Server 2003 and Server 2003 with Itanium-based systems; and Internet Explorer, with SP1 installed, running on certain Windows 2000 machines.
    • A patch for a moderate vulnerability in Network Connection Manager that could allow a denial of service. Affected software includes: Microsoft Windows 2000 Service Pack 4; Microsoft Windows XP SP1 and Microsoft Windows XP SP2; and Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1.
    • An "important" fix for a hole in the client service for NetWare that could allow machines to be remotely controlled. The same software as listed for the Network Connection Manager flaw is impacted by this vulnerability.
    • An "important" security update for a flaw in Windows' Plug and Play that allows remote code to be executed and also allows elevated privilege. Microsoft Windows 2000 SP4, Windows XP SP1 and Windows XP SP2 specifically are included.
    • Another important update to fix a flaw in Microsoft Collaboration Data Objects that could allow remote code execution.
    • Vulnerabilities in Windows Shell that could allow an attacker to run remotely executed code.


      • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


      RELATED RESOURCES
      2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
      Search Bitpipe.com for the latest white papers and business webcasts
      Whatis.com, the online computer dictionary


    • More Tips to Secure Your Network
    Focused on Channel Security?
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts