Microsoft Corp. on Wednesday issued its first scheduled monthly security update as part of its new patch-management strategy. The October release contains patches for five new vulnerabilities in Windows, four of which are considered critical.
Microsoft is touting the monthly security updates as a way to give enterprises more time to test and install the patches. Rather than having fixes arrive in a haphazard manner, Microsoft plans to drop cumulative patches on a regular basis.
One of the critical new flaws lies in Authenticode and affects Windows NT 4.0, 2000, XP and Windows Server 2003. The vulnerability arises because under certain circumstances in which memory is low, an ActiveX control could download and install on users machines without giving users the chance to approve the download. This weakness could be exploited in one of two ways: an attacker could either create a malicious Web site and lure users to it, or he could send an HTML e-mail message containing the malicious code to users.
Another of the new flaws also involves ActiveX, but only affects Windows 2000. A buffer overrun in the Windows Troubleshooter ActiveX control could enable an attacker to run code of his choice on a vulnerable system. The control is designated as “safe for scripting,” meaning that an attacker would only need to create a Web site that references the control in order to exploit the flaw.
The three other vulnerabilities are all buffer overruns. One of the weaknesses is in the Windows Messenger Service and results from the services failure to check the length of a message before passing it on to the allocated buffer. Exploiting the flaw could allow an attacker to run code with Local System privileges or to cause the service to fail.
The final critical flaw is a buffer overrun in the Help and Support Center, which can also be exploited by the HTML e-mail and Web site attack vectors, according to Microsofts bulletin. Both of these flaws affect Windows NT 4.0, 2000, XP and Windows Server 2003.
There is also a less serious flaw in the ListBox and ComboBox control. An attacker could use this flaw to run arbitrary code on a vulnerable machine, but he would have to be logged on interactively in order to do so.
The patches for all of these vulnerabilities are located on the Microsoft Web site.
Discuss this in the eWEEK forum.