Microsoft Issues Critical Windows, Exchange Updates
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Issues Critical Windows, Exchange Updates

Written By
Dennis Fisher
Dennis Fisher
Oct 15, 2003
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft Corp. on Wednesday issued its first scheduled monthly security update as part of its new patch-management strategy. The October release contains patches for five new vulnerabilities in Windows, four of which are considered critical.

Microsoft is touting the monthly security updates as a way to give enterprises more time to test and install the patches. Rather than having fixes arrive in a haphazard manner, Microsoft plans to drop cumulative patches on a regular basis.

One of the critical new flaws lies in Authenticode and affects Windows NT 4.0, 2000, XP and Windows Server 2003. The vulnerability arises because under certain circumstances in which memory is low, an ActiveX control could download and install on users machines without giving users the chance to approve the download. This weakness could be exploited in one of two ways: an attacker could either create a malicious Web site and lure users to it, or he could send an HTML e-mail message containing the malicious code to users.

Another of the new flaws also involves ActiveX, but only affects Windows 2000. A buffer overrun in the Windows Troubleshooter ActiveX control could enable an attacker to run code of his choice on a vulnerable system. The control is designated as “safe for scripting,” meaning that an attacker would only need to create a Web site that references the control in order to exploit the flaw.

The three other vulnerabilities are all buffer overruns. One of the weaknesses is in the Windows Messenger Service and results from the services failure to check the length of a message before passing it on to the allocated buffer. Exploiting the flaw could allow an attacker to run code with Local System privileges or to cause the service to fail.

The final critical flaw is a buffer overrun in the Help and Support Center, which can also be exploited by the HTML e-mail and Web site attack vectors, according to Microsofts bulletin. Both of these flaws affect Windows NT 4.0, 2000, XP and Windows Server 2003.

There is also a less serious flaw in the ListBox and ComboBox control. An attacker could use this flaw to run arbitrary code on a vulnerable machine, but he would have to be logged on interactively in order to do so.

The patches for all of these vulnerabilities are located on the Microsoft Web site.

Discuss this in the eWEEK forum.
Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information