Microsoft Patches Critical Flaws
Microsoft releases patches for three critical security vulnerabilities in three separate products, two of which could enable an attacker to read files on a user's machine.Microsoft Corp. on Thursday released patches for three critical security vulnerabilities in three separate products, two of which could enable an attacker to read files on a users machine. The companys Commerce Server 2000 software has an unchecked buffer in the ISAPI filter installed by default with the server. AuthFilter, which is used to provide support for several authentication methods, is vulnerable to a buffer overflow attack on a section of code that handles authentication requests. An attacker who was able to exploit the flaw could run the code of his choice on the machine, Microsoft said in a bulletin. The Commerce Server runs in the LocalSystem security context, which would give the attacker complete control of the vulnerable machine.
A separate flaw in the way that Internet Explorer handles Visual Basic script gives an attacker the ability to read local files on a vulnerable PC. IE allows scripts from one domain in a frame in a browser window to access the information in another domain.