Microsoft on Tuesday released 12 advisories to cover 17 security flaws in a range of products, including high-priority patches for Internet Explorer, Windows Media Player, Windows Messenger and MSN Messenger.
The February batch of patches includes eight “critical” fixes, and Microsoft officials say IT administrators should prioritize and deploy patches for four potentially dangerous code-execution holes.
Stephen Toulouse, program manager at the Microsoft Security Response Center, told eWEEK.com that the company has identified the four “high-priority” patches because of the availability of public exploits that target those holes.
The four are MS05-009, which affects PNG processing in the media player and instant messaging software; MS05-010 for a flaw in the Windows license logging service; MS05-011 for a bug in the Windows Server Message Block; and MS05-014, which is a cumulative fix for the IE browser.
“If youre applying these patches manually, you should prioritize these four,” Toulouse said, warning that a successful attack could cause major damage within a network.
He said the Internet Explorer fix, which has been under development since last October, addresses the previously reported high-risk vulnerabilities that could allow system hijack, cross-site/zone scripting and security bypass.
The IE update affects users of Windows 98, Windows ME, Windows 2000 Service Pack 3 and Service Pack 4, Windows XP Service Pack 1 and Service Pack 2, Windows Server 2003.
According to Microsoft, the IE fix corrects a drag-and-drop flaw that puts users at risk of PC hijack; a URL decoding zone spoofing vulnerability; a DHTML Method heap memory corruption bug; and a cross-domain vulnerability in CDF (Channel Definition Format).
Toulouse also urged Windows users to prioritize and apply patches for the PNG processing flaw that affects Windows Media Player 9 Series, Windows Messenger 5.0, and Microsoft Messenger 6.2 and 6.2.
“An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft warned in the advisory.
Next Page: A public update for NT 4.0?
NT Update
The third high-priority patch, MS05-010, fixes a code execution flaw that exists in the Windows License Logging service, which could allow an attacker to take complete control of an affected system.
Affected software includes Windows NT Server 4.0, Windows 2000 Server Service Pack 3 and Service Pack 4, and Windows Server 2003.
Microsoft discontinued support for NT 4.0 last month, but Toulouse said patches were released publicly because of the severity of the vulnerability.
“Thats a vulnerability that exists in the default installation of NT 4.0 server. If this particular update were to be exploited by a criminal attack that was automated, we felt the damage would be widespread.
“In cases where we believe the balance is greater to protect all users, we will take the step to go ahead with public updates for NT 4.0,” Toulouse said.
Microsoft is still supporting NT 4.0 customers who pay premium prices for custom support.
Toulouse pinpointed the MS05-011 advisory as another high-priority update because of the threat it presents. That patch covers a remote code execution flaw in the SMB (Server Message Block) that could allow an attacker to take complete control of the affected system.
The SMB patch applies to users of Windows 2000 Service Pack 3 and Service Pack 4, Windows XP Service Pack 1 and Service Pack 2, and Windows Server 2003.
The Server Message Block flaw was first reported by security research firm eEye Digital Security in August 2004. Toulouse explained that the long-overdue fix was delayed because of the rigid patch-testing mechanism employed by Microsoft engineers.
The February advisories also include:
- MS05-004: An “important” patch for a vulnerability in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access.
- MS05-005: A fix for a “critical” buffer overrun flaw in Microsoft Office XP software that could allow an attacker to take complete control of the affected system.
- MS05-006: This corrects a “moderate” vulnerability in Windows SharePoint Services and SharePoint Team Services that could allow cross-site scripting and spoofing attacks.
- MS05-007: An “important” patch for an information-disclosure weakness in Windows XP that could allow an attacker to remotely read the user names for users who have an open connection to an available shared resource.
- MS05-008: A patch with an “important” rating for a privilege-escalation vulnerability in the way that Windows handles drag-and-drop events. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability, Microsoft said.
- MS05-012: A patch for a pair of “critical” code execution flaws in the way Windows and some Microsoft Office programs access memory when they process COM (Component Object Model)-structured storage files. It also fixes a serious bug in the way the OLE service handles input validation.
- MS05-013: A fix for a “critical” cross-domain flaw in the Microsoft DHTML (Dynamic HTML) Editing Component ActiveX control. Microsoft warned that an attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page. “An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
- MS05-015: This patch corrects a “critical” hole in the Hyperlink Object Library. This problem exists because of an unchecked buffer while handling hyperlinks, and it could allow a malicious hacker to lure users into visiting a Web page to launch harmful code. “An attacker who successfully exploited this vulnerability could take complete control of the affected system, [but] user interaction is required to exploit this vulnerability,” Microsoft said.
Microsoft originally planned to release 13 advisories, but one was withheld in the final stages of testing because it required more testing before it could be released. The bulletin addresses an “important” vulnerability in Windows. A Microsoft spokeswoman said it would be pushed out only when it is found to be a complete and quality fix for the vulnerability.
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.