Microsoft Corp. last week issued patches for three flaws in various versions of Windows, two of which give attackers the ability to run their own code on vulnerable machines.
The most serious of the vulnerabilities affects all currently supported versions of Windows, from Windows 98 through Windows Server 2003. The problem lies in the HTML converter, which allows users to handle HTML files. An attacker who could create a special conversion request could cause the converter to fail in a way that enables the attacker to execute code on the users machine. The code would run with the users privileges.
This is one of the first vulnerabilities to affect Windows Server 2003, an operating system the company has touted as Microsofts most secure. It was the first major product to be built from the ground up under the companys Trustworthy Computing philosophy.
Although the HTML converter flaw affects Windows Server 2003, the changes made to the operating system during its development mitigated the risk to a large degree, officials said. “The default configuration has a locked-down version of IE [Internet Explorer] that disables a lot of settings and makes it harder to execute attacks that use scripts,” said Stephen Toulouse, security program manager at the Microsoft Security Response Center, in Redmond, Wash. Microsoft officials said they hope to have two new patch installers in beta form by November.
The second vulnerability affects Windows NT 4.0, Windows 2000 and XP Professional and results from a buffer overrun in part of the operating system that handles SMB (Server Message Block) requests. An attacker could use a malicious SMB request to overrun the buffer, which would cause data corruption, a system failure or code execution.
The third flaw affects Windows 2000 and occurs when Windows Utility Manager handles a message incorrectly.
Despite the flaws, users are giving Microsoft the benefit of the doubt. “Other environments have similar problems but are not fixed as quickly or delivered as proactively or installed as easily,” said Tom Allen, a software developer at Century 21 Signature Realty, in Cupertino, Calif. “A new OS is a huge amount of work, and security is a complex topic, so Im not surprised a few tweaks are needed.”