Microsoft warns of fresh IE, Windows flaws

By Bill Brenner, Senior News Writer 08 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued two advisories late Tuesday, warning that attackers could exploit fresh flaws in Internet Explorer (IE) and Windows to launch malicious code or gain elevated system privileges.

The first advisory deals with IE.

"Microsoft is investigating new public reports of a vulnerability in Internet Explorer," a Microsoft spokesman said by e-mail. "Based on that investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system when the user views a specially crafted Windows meta file (WMF) image. The user could view this image on a Web site, as an attachment in an e-mail or view an HTML e-mail of Outlook Express or Outlook."

The unspecified security hole affects IE 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4, and IE 5.5 Service Pack 2 on Microsoft Windows Millennium. The software giant recommended users upgrade to Internet Explorer 6, which isn't affected by the glitch. Also, the issue doesn't affect IE for Windows XP Service Pack 1 and Windows XP Service Pack 2.

The second advisory concerns a security hole in Windows.

"Microsoft is aware of public reports of a tool developed by a security researcher that reads access-control configuration information from the Windows registry, file system, and service control manager database, and feeds raw configuration data to the model," the spokesman said.

As a result, he said, "Microsoft is investigating reports that application of this tool to certain versions of Windows may have discovered possible vulnerabilities in Windows and the ability to allow a malicious user to launch a privilege-escalation attack caused by misconfigurations of the access-control lists."

The company said it is not aware of any attacks attempting to exploit the flaws and that it will continue to investigate, providing additional guidance for customers as necessary.

The advisories came a day after the software giant acknowledged it was looking into reports of another Windows flaw, for which exploit code is circulating.

A vulnerability research group has released details of a security hole attackers could exploit in the Microsoft Windows standard help system to cause a buffer overflow or launch malicious code.

Research site bratax.be said the problem is in Microsoft HTML Help Workshop. "A remote user can cause arbitrary code to be executed on a target computer when the target user opens a malicious .hhp file," bratax said in the advisory. "The code will run with the privileges of the target user."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Researchers to demonstrate new EV SSL man-in-the-middle hacks Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Web Browser Security Research Windows Security: Alerts, Updates and Best Practices Microsoft to address DirectShow, ActiveX zero-day flaws New attack code targets Microsoft ActiveX zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary