Microsoft Corp. on Wednesday released patches for two critical flaws in Internet Explorer that enable an attacker to run code on a vulnerable PC.
These two vulnerabilities are also the first to potentially affect the recently released Windows Server 2003 operating system. However, the new version of Windows blocks both of these attacks in its default configuration, according to Microsoft security executives.
The first vulnerability is a buffer overrun that results from IEs failure to properly determine an object type returned from a Web server. An attacker would be able to exploit this problem simply by having a user with a vulnerable machine visit a malicious Web site set up for this purpose. The user would not have to take any other actions once on the site.
The second vulnerability is a result of IE not implementing a block on a file download dialog box. Both vulnerabilities would allow the attacker to run code on the users machine.
The problems affect IE 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003. Microsoft executives say that the new security safeguards in Windows Server 2003 were designed specifically to prevent these kinds of attacks by default. Of course, customers often change the default configuration after installation.
"In the lock-down configuration, these vulnerabilities just dont fire," said Steve Lipner, director of security engineering strategy at Microsoft, based in Redmond, Wash. "We did it to achieve this benefit. Thats a really significant thing."
Most installations of the new OS wont have a Web browser running very often anyway, Lipner said, unless it is to download security fixes or other updates. "You dont typically use this server for normal Web browsing," he said.
Microsoft officials have said that the first real test of its Trustworthy Computing initiative will be the security of its newest Windows release. They believe that if Windows Server 2003 shows real progress on security relative to older versions of Windows it will be a key validation for their effort.
And it wont be long before the first empirical evidence of that security is available. Lipner said Microsoft plans to release a comparison of the number of vulnerabilities found in Windows Server 2003 and older versions of the OS later this summer.
While the new patch is rated critical for all other versions of Windows, it is only a moderate risk for 2003 installations. The patch is available here.
Discuss this in the eWeek forum.