Microsoft released seven security bulletins, including fixes for three critical vulnerabilities, as part of its monthly Patch Tuesday update delivered on Dec. 12.
The software giant, based in Redmond, Wash., shipped 11 security patches in total, including a cumulative Internet Explorer bulletin and an update meant to fix a flaw in the Windows Media file format.
The Windows Media update was unexpectedly added to the six bulletins the company said it would forward in its Patch Tuesday preview released on Dec. 8.
The Windows Media vulnerability targeted by the patch, along with a cumulative IE browser bulletin and an update meant to close a glitch in Microsofts Visual Studio 2005 software were identified as critical risks, the companys most severe security rating.
The IE bulletin may be considered the most severe of the critical patches, addressing a script error handling memory corruption in the browser that merited the critical status.
The client-side code execution vulnerability is caused by a memory corruption condition when handling script errors and the company said that computers affected by the glitch could allow for remote code execution and allow hackers to take control of systems running the software.
Microsoft said the critical flaw could be exploited using a specially-crafted Web page designed to attack the issue, which is present in its Internet Explorer 5 and 6, Windows 2000, Windows XP and Windows Server 2003 systems.
Also included in the IE bulletin were fixes for a critical DHTML script function memory corruption vulnerability residing in IE 6 and Windows XP that could allow for remote code execution if exploited.
Also, there were patches for a TIF folder information disclosure vulnerability ranked as important for almost all versions of the browser, and a second TIF folder information disclosure vulnerability that was rated as a moderate security risk.
Microsoft said the Virtual Studio 2005 patch is meant to fix a critical WMI object broker vulnerability in the development package that could allow for remote execution and allow an attacker who successfully exploits this flaw to take complete control of an affected system.
While the problem is present in all versions of the Virtual Studio 2005 software, Microsoft said that users running Internet Explorer on Windows Server 2003 in its default enhanced security configuration would not be affected by the issue.
The bulletin covering the Windows Media file format issue includes two individual patches aimed at closing critical issues in Microsofts Windows Media Player 6.4, Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 Service Pack 1 and Windows Server 2003 x64 Edition products.
One of the patches seeks to remedy a remote code execution vulnerability existing in Windows Media Format Runtime, due to the way it handles ASF (advanced systems format) files.
Next Page: Losing control of an affected system.
Losing Control of an
Affected System”>
Microsoft said that an attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an e-mail message with malicious content, potentially allowing outsiders to take control of an affected system.
The second Windows Media file format patch addresses a remote code execution vulnerability in Windows Media Format Runtime linked to the manner in which the program handles certain elements contained in advanced stream redirector (ASX) files.
An attacker who exploits the vulnerability by constructing a specially crafted ASX file that could allow remote code execution if a user visits a malicious Web site where specially crafted ASX files are used to launch Windows Media player, or if a user clicks on a URL pointing to a specially crafted ASX file, the company said.
Such an attack could also allow someone to take complete control of an affected system.
Among the other bulletins posted by Microsoft was a patch aimed at fixing a SNMP (simple network management protocol) memory corruption vulnerability in the companys Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 products.
If exploited, the flaw, which bears the security rating of important, could allow an attacker to take over affected systems, the company said.
Microsoft also released a patch meant to address a file manifest corruption vulnerability in its Windows XP Service Pack 2 and Windows Server 2003 products ranked by the software maker as important.
The vulnerability could allow a logged on user to take complete control of a system running the products.
Another security bulletin was released to fix an important vulnerability in Microsofts Outlook Express software. The Windows address book contact record issue affects every version of the software released since its Outlook Express 5.5 Service Pack 2 iteration, and could allow an attacker who exploits the issue to take complete control of an affected system, Microsoft said.
The final important security patch involves a vulnerability in the RIS (remote installation service) of Microsofts Windows 2000 Service Pack 4 software, which could also allow for remote code execution and allow a successful attacker to overwrite existing operating system files or upload a specially crafted file, and compromise operating system installs offered by the RIS server.
Microsoft said that it would also ship four high-priority non-security Windows updates via its Windows Update and Software Update Services automated patch delivery systems as part of the release, as well as an updated version of its Windows Malicious Software Removal Tool.
The malware removal kit will be distributed on Microsofts Windows Update, Microsoft Update, Windows Server Update Services and Download Center resources, but not via its Software Update Service.
In addition, the company plans to distribute ten high-priority non-security updates over its Microsoft Update and Windows Server Update Services.
In November, Microsoft released a critical cumulative update for the Internet Explorer browser to fix a flaw that was being used in targeted zero-day attacks since early October. Microsoft also released five other security bulletins, including four others meant to address critical issues.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.