As expected, Microsoft issued patches for two critical vulnerabilities in its software on May 9, including flaws in its Windows and Exchange products, as part of its monthly security update.
While the companys latest patch distribution is meant to help Microsoft customers fix several well-known loopholes in its software, the update did not address a series of flaws isolated in the firms Internet Explorer browser, as some experts had predicted.
Microsoft typically applies a “critical” rating to high-priority vulnerabilities that can be exploited to allow the propagation of an Internet worm without any user action, and the problems addressed in the May security update appear to fit that bill.
The first critical issue detailed by Microsoft affects its Exchange Server 2000 and Exchange Server 2003 product versions, which, if left unpatched, could allow attackers to take control of machines remotely and install programs, manipulate data or create new user accounts with full usage privileges, the company said.
Microsoft indicated that the remote code execution vulnerability can be exploited using specially crafted messages that allow computers to become infected when Exchange Server processes an e-mail possessing certain properties related to Microsofts vCal or iCal calendar features.
The issue specifically affects Exchange users who have downloaded earlier Microsoft product updates, including the Service Pack 3 release for Exchange 2000, as well as Service Pack 1 and Service Pack 2 updates for Exchange 2003.
The second critical vulnerability detailed by Microsoft involves customers using the companys dominant Windows OS along with Macromedia Flash Player from Adobe, which it reported could also allow for remote code execution.
While Windows users who have downloaded an earlier fix for the Adobe issue are not affected, Microsoft said that those people who did not use the earlier patch may be at an even greater risk of exploitation than before.
The vulnerability specifically relates to the use of Windows with Flash Player version 6 or earlier, including Microsofts Windows XP, Windows 98 and Windows 98 Second Edition products.
For its part, Adobe has recommended that its customers update to the latest version of Flash Player to help cancel out the glitch.
Microsoft said that using the vulnerability, a hacker could potentially log onto an affected PC with administrative user rights and take complete control of an affected system.
End users whose Windows accounts are configured to have fewer access privileges could be less vulnerable to related attacks than users who operate with administrative user rights, the software giant said.
An outsider could exploit the vulnerability by constructing a specially crafted Flash Animation file or by luring a user to visit a Web site or view an e-mail attachment containing the file.
The third patch issued by Microsoft, rated as moderate, involves a flaw in the Distributed Transaction Coordinator in Windows that the company said could allow for related denial-of-service attacks.
Hackers would need to create a specific message to exploit an affected system and could cause the Distributed Transaction Coordinator to stop responding, the company said.
As Microsoft works to plug holes its existing versions of Windows, the company is promising to deliver an operating system with far fewer vulnerabilities with the launch of its much-anticipated Vista product, due out sometime in 2007.
While market researchers working with early review copies of Vista have said that some of the security features built into the product may be a bit overbearing, analysts are also predicting that the companys efforts could reduce the need for aftermarket anti-malware applications, and help prevent the spread of viruses by locking down Windows administrative permissions.