Microsoft gave IT administrators plenty of work to do Tuesday, releasing a mega-fix that patches security holes in Internet Explorer (IE), Outlook Express and a variety of other programs within Windows. Attackers can use most of the flaws to take complete control of affected machines, the software giant warned.
Of the five security updates, three are rated critical, one important and one moderate.
The first update is a critical cumulative fix for IE. Among other things, it addresses the much-publicized createTextRange flaw, which has been reportedly targeted by more than 200 malicious Web sites.
Heightened anxiety regarding the flaw prompted Aliso Viejo, Calif.-based eEye Digital Security Inc. and Redwood City, Calif.-based vulnerability protection firm Determina Inc. to release their own fixes.
The cumulative update patches 10 IE security holes in all. Microsoft said an attacker could exploit these flaws to take complete control of an affected system and install programs; view, change or delete data; or create new accounts with full user rights.
Specifically, the update addresses problems in how the browser:
ActiveX changes and compatibility patch
The cumulative IE fix also makes changes in how the browser handles ActiveX controls. Microsoft was forced to make the adjustments as a result of the Eolas Technologies and the Regents of the University of California v. Microsoft patent case (Eolas v. Microsoft).
Eolas and the University of California sued Microsoft for patent infringement in 1999, with Eolas claiming Microsoft infringed by baking ActiveX into IE. A jury sided with the plaintiffs in 2003 and awarded them damages of $520.6 million. The software giant appealed and won a retrial in 2005. The case was returned to the district court level, but despite the appeal Microsoft was forced to make the changes so it wouldn't be found in contempt of court.
Although most Internet sites have already prepared for the changes, Microsoft said some enterprise customers asked for more time to ensure the changes won't have a serious impact on their networks.
As a result, Tuesday's update includes a compatibility patch that temporarily returns IE to the previous functionality for handling ActiveX controls. Microsoft said the patch will work until an IE update is released as part of the June patching cycle, at which time the ActiveX changes will be made permanent.
Patches for Windows, Outlook Express
The second update is critical and fixes a remote code execution vulnerability in the RDS.Dataspace ActiveX control that is part of ActiveX Data Objects (ADO) and is distributed via Microsoft data access components (MDAC), a collection of components used to provide database connectivity on Windows platforms. An attacker who successfully exploited this vulnerability could take complete control of an affected system, Microsoft said.
The third update is critical and fixes a remote code-execution vulnerability in Windows Explorer involving the way the program handles COM objects. "An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server," Microsoft said. "This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
The fourth update, rated important, is a cumulative fix for Outlook Express, addressing a remote code execution vulnerability that appears in Outlook Express when a Windows Address Book (.wab) file is used. Microsoft said attackers could exploit the flaw to take complete control of the affected system.
The fifth update, deemed moderate, is a fix for a cross-site scripting vulnerability an attacker could exploit to run client-side script on behalf of a FrontPage Server Extensions (FPSE) user. "The script could spoof content, disclose information, or take any action that the user could take on the affected Web site," Microsoft said. "An attacker who successfully exploited this vulnerability against an administrator could take complete control of a FrontPage Server Extensions 2002 server."
Odds and ends
Also Tuesday, Microsoft re-released a February security update for Windows Media Player. This addressed a flaw in how Media Player handles processing bitmap files. An attacker could exploit the vulnerability by constructing a malicious bitmap file (.bmp) that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message, Microsoft said.
The update was re-released Tuesday to advise customers that revised versions of the security update are available for Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2, the software giant said.
And as it does every month, Microsoft updated its malware removal tool. This month's update removes Win32.Locksky, Win32.Valla and Win32.Reatle.