The cracks in Microsoft Windows keep getting bigger.
With the Lovsan and Nachi worms still exploiting critical holes in Windows' Remote Procedure Call protocol, Microsoft announced three new critical vulnerabilities Wednesday that merit the immediate attention of IT administrators.
Microsoft rolled fixes for two new vulnerabilities in Internet Explorer into a cumulative patch for the ubiquitous Web browser. Also, critical flaws were announced in Windows components DirectX and MDAC. In each instance, an attacker would be able to run code of their choice on a vulnerable Windows system.
Internet Explorer fix
The cumulative patch for IE affects versions 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003 and includes fixes for two newly discovered holes. The first is a vulnerability in IE's cross-domain security model that could enable an outsider to execute script in the My Computer zone, Microsoft said. Exploiting the flaw might be difficult, however. An attacker would have to create a malicious Web page that exploits the hole and persuade someone to visit the page, mostly likely via an HTML e-mail.
A second critical vulnerability occurs when IE fails to properly determine an object type returned from a Web server. Again, a user would have to visit a malicious Web page created by an attacker. No other user action, however, would be necessary to exploit this hole.
The cumulative patch also repairs the way IE renders HTML files, specifically input type tags, Microsoft said. An exploit could cause the browser or Outlook to crash. The patch also sets the Kill Bit on the BR549.DLL ActiveX control.
Microsoft points out that by default, IE on Windows Server 2003 runs in enhanced security configuration, which blocks these attacks. This configuration can be turned off by an administrator.
Unchecked buffer in DirectX
Unchecked buffers were discovered in numerous versions of DirectX on different versions of Windows. DirectX is made up of several low-level APIs that Windows uses to support multimedia, like client-side audio and video.
Two buffer overruns in DirectX's DirectShow component, which checks the parameters of a MIDI file, could enable an attacker to hijack a system. However, attackers would need to create a malicious MIDI file and host it on a Web page or network share, or send it via HTML e-mail.
Affected versions include: DirectX 5.2 on Windows 98; DirectX 6.1 on Windows 98 SE; DirectX 7.1 on Windows ME; DirectX 7.0 on Windows 2000; DirectX 8.0, 8.0a, 8.1, 8.1a and 8.1b on Windows 98 and 98 SE, Windows ME or Windows 2000; DirectX 8.1 on Windows XP or Windows Server 2003; DirectX 9.0a on Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP or Windows Server 2003; Windows NT 4.0 Terminal Server Edition and NT 4.0 with Windows Media Player 6.4 or IE 6 Service Pack 1 installed.
More buffer overflows in MDAC
Critical buffer overflow vulnerabilities were detailed in Microsoft Data Access Components (MDAC) 2.5, 2.6 and 2.7. This patch corrects a previous fix for MDAC, which Microsoft said did not install correctly on some systems.
MDAC components provide database connectivity on Windows platforms and is likely present on most Windows systems, Microsoft said. A buffer overflow was discovered in one of the Open Database Connectivity (ODBC) components in MDAC.
This also impacts enterprises running SQL Server. Attackers could exploit this hole by using the Transact-SQL OpenRowSet command. Submitting a database query with a malformed parameter could overrun the buffer and either crash SQL Server or enable an attacker to run code of their choice.
Exploiting this hole would require an attacker to build a malicious Web page or HTML e-mail message and entice the user to take action.
FOR MORE INFORMATION:
FEEDBACK: Since the outbreak of Lovsan/Blaster last week, and in the wake of today's new Microsoft vulnerabilities, how have you prioritized what problems you'll address first?
Send your feedback to the SearchSecurity.com news team.