As expected, Microsoft Tuesday issued three security updates -- two of them critical -- patching flaws in Windows and Exchange Server. The software giant warned that attackers could exploit the flaws to cause a denial of service, run malicious code and possibly hijack vulnerable machines.
Not included in this month's patch release are fixes for recently-discovered flaws in Internet Explorer (IE).
The first update, rated critical, fixes a remote code execution flaw in Microsoft Exchange Server.
"An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an e-mail with certain vCal or iCal properties," Microsoft said, adding that the attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The second update, rated critical, addresses flaws in Adobe's Macromedia Flash Player. The problem involves how the media player handles .swf (flash animation) files.
"An attacker could exploit the vulnerability by constructing a specially crafted .swf file that could potentially allow remote code execution" if a user visited a Web site or opened an e-mail attachment containing the malicious file, Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."
This patch covers Microsoft customers who have Flash Player 6.0.79 or earlier installed on machines running Windows XP Service Pack 1, XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition (ME).
According to the Microsoft Security Response Center's Christopher Budd in his Inside MSRC column for SearchSecurity.com, even though Flash Player is produced by Adobe Systems Inc., Microsoft chose to release a bulletin because it redistributes certain versions of the software. Microsoft also said those who run Flash Player on versions of Windows other than those affected should update their player directly from the Adobe Web site.
A third update for this month, labeled moderate, fixes flaws in the Microsoft Distributed Transaction Coordinator (MSDTC), a program within Windows. Microsoft said attackers could exploit denial-of-service and invalid-memory-access vulnerabilities to cause MSDTC to stop responding.
IE flaws remain open
Microsoft released a super-sized fix for Internet Explorer last month, but since then at least three new flaws have surfaced. Since Tuesday's security update didn't include IE patches, it is likely to be at least another month before the browser issues are addressed. There have been no reported attacks against the latest flaws.
The first IE problem is a race condition that appears when security dialogs are displayed and processed; prompting a user to install and execute an ActiveX control. Attackers could exploit this to manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page. Attackers could then install or execute a malicious ActiveX control on the victim's machine.
The second problem is an origin validation error that appears when "mhtml:" URL redirections are handled. Attackers could exploit this to read content and data served from another domain in the context of a malicious Web page, FrSIRT said, adding that fully functional exploit code has been released.
The third problem is caused by an error in how certain sequences of nested "object" HTML tags are processed. Attackers could exploit it to launch malicious code and corrupt system memory.
Microsoft has confirmed it is investigating the flaws, and said the first two would take significant user interaction to exploit.