Microsoft releases five fixes for IE, Windows

By Bill Brenner, Senior News Writer 11 Apr 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft gave IT administrators plenty of work to do Tuesday, releasing a mega-fix that patches security holes in Internet Explorer (IE), Outlook Express and a variety of other programs within Windows. Attackers can use most of the flaws to take complete control of affected machines, the software giant warned.

Of the five security updates, three are rated critical, one important and one moderate.

More on Microsoft's updates Read Inside MSRC, our special column featuring Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC). He offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most of the software giant's security updates. Check it out and let us know what you think.

Cumulative IE fix
The first update is a critical cumulative fix for IE. Among other things, it addresses the much-publicized createTextRange flaw, which has been reportedly targeted by more than 200 malicious Web sites.

Heightened anxiety regarding the flaw prompted Aliso Viejo, Calif.-based eEye Digital Security Inc. and Redwood City, Calif.-based vulnerability protection firm Determina Inc. to release their own fixes.

The cumulative update patches 10 IE security holes in all. Microsoft said an attacker could exploit these flaws to take complete control of an affected system and install programs; view, change or delete data; or create new accounts with full user rights.

Specifically, the update addresses problems in how the browser:

ActiveX changes and compatibility patch
The cumulative IE fix also makes changes in how the browser handles ActiveX controls. Microsoft was forced to make the adjustments as a result of the Eolas Technologies and the Regents of the University of California v. Microsoft patent case (Eolas v. Microsoft).

Eolas and the University of California sued Microsoft for patent infringement in 1999, with Eolas claiming Microsoft infringed by baking ActiveX into IE. A jury sided with the plaintiffs in 2003 and awarded them damages of $520.6 million. The software giant appealed and won a retrial in 2005. The case was returned to the district court level, but despite the appeal Microsoft was forced to make the changes so it wouldn't be found in contempt of court.

Although most Internet sites have already prepared for the changes, Microsoft said some enterprise customers asked for more time to ensure the changes won't have a serious impact on their networks.

As a result, Tuesday's update includes a compatibility patch that temporarily returns IE to the previous functionality for handling ActiveX controls. Microsoft said the patch will work until an IE update is released as part of the June patching cycle, at which time the ActiveX changes will be made permanent.

Patches for Windows, Outlook Express
The second update is critical and fixes a remote code execution vulnerability in the RDS.Dataspace ActiveX control that is part of ActiveX Data Objects (ADO) and is distributed via Microsoft data access components (MDAC), a collection of components used to provide database connectivity on Windows platforms. An attacker who successfully exploited this vulnerability could take complete control of an affected system, Microsoft said.

The third update is critical and fixes a remote code-execution vulnerability in Windows Explorer involving the way the program handles COM objects. "An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server," Microsoft said. "This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

The fourth update, rated important, is a cumulative fix for Outlook Express, addressing a remote code execution vulnerability that appears in Outlook Express when a Windows Address Book (.wab) file is used. Microsoft said attackers could exploit the flaw to take complete control of the affected system.

The fifth update, deemed moderate, is a fix for a cross-site scripting vulnerability an attacker could exploit to run client-side script on behalf of a FrontPage Server Extensions (FPSE) user. "The script could spoof content, disclose information, or take any action that the user could take on the affected Web site," Microsoft said. "An attacker who successfully exploited this vulnerability against an administrator could take complete control of a FrontPage Server Extensions 2002 server."

Odds and ends
Also Tuesday, Microsoft re-released a February security update for Windows Media Player. This addressed a flaw in how Media Player handles processing bitmap files. An attacker could exploit the vulnerability by constructing a malicious bitmap file (.bmp) that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message, Microsoft said.

The update was re-released Tuesday to advise customers that revised versions of the security update are available for Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2, the software giant said.

And as it does every month, Microsoft updated its malware removal tool. This month's update removes Win32.Locksky, Win32.Valla and Win32.Reatle.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research Windows Security: Alerts, Updates and Best Practices New attack code targets Microsoft DirectShow zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary