The Microsoft security train made its scheduled monthly stop on Tuesday, dropping off eight updates to cover 18 vulnerabilities in a range of widely deployed products.
Five of the eight advisories are rated “critical” and Redmond officials are urging customers to apply at least three immediately as high-priority updates.
The top three include fixes for high-risk flaws in Microsoft Corp.s implementation of the TCP/IP stack; a cumulative patch for the Internet Explorer browser; and a patch for a remote code-execution hole in the enterprise-focused Microsoft Exchange Server.
According to Stephen Toulouse, program manager at the Microsoft Security Response Center, the vulnerabilities discussed in the MS05-019 bulletin present the biggest threat to Microsoft Windows users because a successful exploit could allow a malicious hacker to take complete control of an affected system.
In all, Microsoft is patching five vulnerabilities in the TCP/IP stack, the most serious of which could let an attacker install programs; view, change or delete data; or create new accounts with full user rights.
Successful exploits could also cause denial-of-service conditions, Toulouse said in an interview with eWEEK.com.
Software affected by the TCP/IP vulnerabilities includes Windows 2000 Service Packs 3 and 4, Windows XP SP1 and SP2, Windows XP 64-Bit Edition, and Windows Server 2003. Patches were also shipped for the Windows 98 and Windows ME operating systems.
For the second time this year, a cumulative update with a “critical” rating was released for the dominant Internet Explorer browser. The IE patch, covered in MS05-020, affects all operating systems up to and including Windows XP SP2. It addresses three separate code-execution vulnerabilities in IE that could lead to remote system takeover.
According to Microsofts advisory, one vulnerability is caused by the way IE handles certain DHTML (Dynamic HTML) objects. “An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company warned.
Code-execution holes have also been plugged in the way the browser handles Content Advisor files and certain URLs.
Microsoft Exchange Server, which is widely employed in large corporations using Microsoft infrastructure solutions, is also vulnerable to a critical code-execution vulnerability. The MS05-021 update provides a fix for the issue, which can allow an attacker to connect to the SMTP port on an Exchange server and issue a specially crafted command. A successful attack could result in a denial of service or allow attackers to run malicious programs of their choice in the security context of the SMTP service.
Customers running Microsoft Exchange 2000 Server SP3, Exchange Server 2003 and Exchange Server 2003 SP1 are affected.
The April advisories also include fixes for a pair of buffer-overflow flaws in Microsoft Word, the popular word processor that ships as part of the Office suite.
The MS05-023 update provides patches for the remote code-execution Word vulnerabilities.
Both flaws could allow a malicious hacker to take complete control of a users PC by creating a document that contains malicious code and persuading the target to open the document.
Customers affected include users of Microsoft Word 2000 and 2002, Microsoft Office Word 2003, and Microsoft Works Suite 2001, 2002, 2003 and 2004.
For the second time this year, the MSN Messenger application has gotten a security makeover to correct a critical remote code-execution vulnerability. Patches have been included in the MS05-022 advisory, which applies to MSN Messenger Version 6.2. Users of the newest MSN Messenger 7.0 are not affected.
The software giant also released two non-security-related updates marked “high priority” through Windows Update to help provide all of the updates requiring a reboot in a single release cycle. These updates relate to the Microsoft Windows Installer and the Background Intelligent Transfer Service.
The Redmond, Wash.-based companys worm-removal tool also got the scheduled monthly update to add detection for new viruses and threats.