Microsoft Releases Raft of New Patches | eWeek

Microsoft Releases Raft of New Patches

Écrit par
Dennis Fisher
Dennis Fisher
Oct 3, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. on Wednesday issued a raft of new patches, including one for a vulnerability in a component of Windows that gives an attacker the ability to run any code of choice on remote systems.

The vulnerability lies in an ActiveX control found in the Windows HTML Help Facility. One of the functions exposed by the control contains a an unchecked buffer, which an attacker could exploit with a malicious Web page or HTML mail message.

A successful exploitation of the flaw would give the attacker the ability to run code in the same context as the user.

A second flaw in the Help Facility involves the way the service handles compiled HTML Help files that contain shortcuts. The shortcuts should only be used by the Help files, but in a case where a Web page or HTML mail message delivers a Help file to the Temporary Internet Files folder and then executes it, the Help Facility handles the file in the Local Computer zone. The file is thus considered to be a trusted one and is allowed to use the shortcut, which is capable of taking any action on the machine.

The patch for these problems is available here.

Microsoft also issued a new cumulative patch for SQL Server 7 and 2000 that fixes four newly discovered vulnerabilities, as well. The most serious of the new flaws is a buffer overrun in one of the Database Console Commands. An attacker exploiting this vulnerability would be able to gain complete control of the SQL server, Microsoft said in its advisory.

Another buffer overrun in a section of code in SQL Server 2000 associated with user authentication gives an attacker the ability to run code in the context of the SQL Server service.

The SQL patch is available here.

The Redmond, Wash., company issued two other patches Wednesday for somewhat less serious problems. The first is for two vulnerabilities in the file decompression function in Windows 98 Plus, Me and XP, one of which could allow an attacker to run arbitrary code on a vulnerable machine. That patch is located here.

The other patch is for three flaws in the Interix SDK that ships with Microsofts Service for Unix 3.0. The fix is available here.

Related Stories:

  • Bugbear Virus Still Running Wild
  • More Security Coverage
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.