Microsoft Releases Raft of New Patches
One of the patches fixes a flaw in Windows that lets attackers run code on remote systems.Microsoft Corp. on Wednesday issued a raft of new patches, including one for a vulnerability in a component of Windows that gives an attacker the ability to run any code of choice on remote systems. The vulnerability lies in an ActiveX control found in the Windows HTML Help Facility. One of the functions exposed by the control contains a an unchecked buffer, which an attacker could exploit with a malicious Web page or HTML mail message. A successful exploitation of the flaw would give the attacker the ability to run code in the same context as the user.
A second flaw in the Help Facility involves the way the service handles compiled HTML Help files that contain shortcuts. The shortcuts should only be used by the Help files, but in a case where a Web page or HTML mail message delivers a Help file to the Temporary Internet Files folder and then executes it, the Help Facility handles the file in the Local Computer zone. The file is thus considered to be a trusted one and is allowed to use the shortcut, which is capable of taking any action on the machine.