Microsoft warns of fresh IE, Windows flaws

By Bill Brenner, Senior News Writer 08 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued two advisories late Tuesday, warning that attackers could exploit fresh flaws in Internet Explorer (IE) and Windows to launch malicious code or gain elevated system privileges.

The first advisory deals with IE.

"Microsoft is investigating new public reports of a vulnerability in Internet Explorer," a Microsoft spokesman said by e-mail. "Based on that investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system when the user views a specially crafted Windows meta file (WMF) image. The user could view this image on a Web site, as an attachment in an e-mail or view an HTML e-mail of Outlook Express or Outlook."

The unspecified security hole affects IE 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4, and IE 5.5 Service Pack 2 on Microsoft Windows Millennium. The software giant recommended users upgrade to Internet Explorer 6, which isn't affected by the glitch. Also, the issue doesn't affect IE for Windows XP Service Pack 1 and Windows XP Service Pack 2.

The second advisory concerns a security hole in Windows.

"Microsoft is aware of public reports of a tool developed by a security researcher that reads access-control configuration information from the Windows registry, file system, and service control manager database, and feeds raw configuration data to the model," the spokesman said.

As a result, he said, "Microsoft is investigating reports that application of this tool to certain versions of Windows may have discovered possible vulnerabilities in Windows and the ability to allow a malicious user to launch a privilege-escalation attack caused by misconfigurations of the access-control lists."

The company said it is not aware of any attacks attempting to exploit the flaws and that it will continue to investigate, providing additional guidance for customers as necessary.

The advisories came a day after the software giant acknowledged it was looking into reports of another Windows flaw, for which exploit code is circulating.

A vulnerability research group has released details of a security hole attackers could exploit in the Microsoft Windows standard help system to cause a buffer overflow or launch malicious code.

Research site bratax.be said the problem is in Microsoft HTML Help Workshop. "A remote user can cause arbitrary code to be executed on a target computer when the target user opens a malicious .hhp file," bratax said in the advisory. "The code will run with the privileges of the target user."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary