Microsoft Preps Patches for Critical Flaws

The company's first monthly security patch rollout for 2005 will comprise three Windows fixes; the maximum severity rating is "critical."

Microsoft Corp.s first monthly patch day for 2005 will include security fixes for three vulnerabilities in Windows products, the software giant said Thursday.

As part of its advance notice mechanism, Microsoft said the maximum severity rating for the three updates is "critical." The security updates may require a restart.

It is not known whether all three flaws are "critical," and Microsoft is withholding details until the patches are released.

The next batch of patches is due Tuesday, Jan. 11.

Patches with "critical" ratings are reserved for flaws that the company considers "wormable." A critical vulnerability means that, in the default scenario on an Internet-facing PC, an attacker could exploit it in such a way that it spreads from machine to machine.

Microsoft has already confirmed it was investigating a warning from a Chinese community group called Xfocus Team that pointed to several high-risk vulnerabilities affecting multiple versions of Windows.

Information on those three flaws was also re-released by Symantec Corp. with a warning that proof-of-concept exploits were circulating.

The most serious of the three vulnerabilities involves the Windows LoadImage API Function in Windows. It was described by Xfocus Team as an integer overflow that could be exploited via browsers or e-mail client software. Users who open an HTML message or Web page bearing the image could face security risks.

The other two vulnerabilities were pinpointed in the Help system and in Windows ANI (Animated Cursor Image) format authentication.

On Tuesday, Microsoft also plans to release a malicious software removal tool, which will be updated once a month via the Windows Update and Automatic Update utilities.


Check out eWEEK.coms for Microsoft and Windows news, views and analysis.