Microsoft released five new security updates Tuesday, four of them for critical flaws in Windows and Content Management Server. Attackers could exploit all of the flaws to take complete control of targeted machines, the software giant warned.
One security expert described two of the flaws as "very wormable" because they are server-side glitches attackers can exploit remotely without the user getting involved.
The new patches arrive as IT administrators continue to test and install the fix released last week in MS07-017, which addressed a widely-attacked flaw in the way Windows handles animated cursor (.ani) files.
Four critical updates
Microsoft described the critical flaws addressed Tuesday as those an attacker could exploit to take complete control of an affected system and install programs; view, change, or delete data; or create new accounts with full user rights.
MS07-018 fixes flaws in Microsoft Content Management Server 2001 Service Pack 1 and 2002 Service Pack 2. One problem is in how the server handles a specially crafted HTTP request. It is also prone to a cross-site scripting and spoofing vulnerability. If a malicious script is run, attackers could execute malicious code in the security context of the user. Microsoft did note that attempts to exploit this flaw require user interaction.
MS07-019 fixes a flaw in how the Windows Universal Plug and Play service handles specially crafted HTTP requests. The problem affects Windows XP Service Pack 2, Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2.
Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said the flaws in MS07-018 and MS07-019 are the most wormable holes he has seen in some time.
"Both are server-side attacks that could be remotely exploited over the Internet without the user doing anything," he said. "Every XP box on the planet is vulnerable to the Plug and Play flaw. Attackers will be very excited about these."
MS07-020 fixes a glitch in how the Microsoft Agent handles certain specially crafted URLs. This affects Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003, Windows Server 2003 Service Pack 1, Server 2003 Service Pack 2, Windows Server 2003 x64 Edition with Service Pack 1;Windows Server 2003 x64 Edition with Service Pack 2, Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems.
MS07-021 fixes flaws in how the Windows Client/Server Run-time Subsystem (CSRSS) handles error messages and connections during the startup and stopping of processes. The problems affect all versions of Windows, including Vista.
The software giant released an update rated important this month. MS07-022 fixes a privilege elevation vulnerability in the Windows Kernel due to incorrect permissions on a mapped memory segment. The flaw affects Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2.
Schultze expects exploit code for all five issues to flood the Internet over the next few weeks. But MS07-018 and MS07-019 are the ones IT administrators should install first.
"I would patch the first two right away," he said. "If you have an XP system and the firewall isn't turned on, it may no longer be your XP system."