Microsoft Corp. released software updates in two security bulletins Tuesday, MS05-054 and MS05-055. The updates include fixes for critical new holes in IE, and code to remove a program from Sony BMG that introduced a vulnerability onto customers Windows machines, according to Stephen Toulouse, security program manager with Microsofts Security Resource Center.
The cumulative patch for IE, MS05-054, includes previous fixes for the Web browser and patches for four recently discovered holes, including a publicly disclosed vulnerability in code used by IE to handle JavaScript “Window()” function calls.
That vulnerability was in versions 5.5 and 6.x of Internet Explorer and was initially believed to be less serious and limited to use in denial-of-service attacks.
However, further analysis by researchers outside Microsoft revealed that the hole could be used by remote attackers to execute malicious code on affected Windows systems, Toulouse said.
A group calling itself Computer Terrorism released code to exploit the hole on Nov 21, six months after the hole was first discovered by a German researcher named Benjamin Tobias Franz.
Despite the late notice, Microsoft staff rushed to get a fix in for the hole, which was being used in Web-based attacks to compromise vulnerable Windows systems.
The patch also includes fixes for a hole in IEs COM (Component Object Model) that could allow remote code to run on some versions of IE, and fixes for moderately serious vulnerabilities in IEs File Download Dialog box and HTTPS proxy, Microsoft said.
A second security bulletin, MS05-055, rated “Important,” fixes a hole in the Windows core processing kernel on Windows 2000 machines running Service Pack 4. The vulnerability could allow a user with few security privileges to take control of the Windows 2000 machine once he or she successfully logged in, Toulouse said.
Microsoft also issued an update to Windows that removes an Active-X component left behind by Sony BMGs ill-fated XCP uninstallation utility, known as CodeSupport. Developed by First4Internet, CodeSupport left Windows systems open to Web-based attacks that downloaded and installed malicious programs, according to an analysis by Ed Felten, a professor of computer science at Princeton University.
“If you had the XCP software on your system and ran the initial uninstaller, then this update will remove that [ActiveX] control,” he said.
Microsofts malicious-code removal tool can be used to remove the XCP cloaking software for Sony BMG customers who have not yet removed it, he said.
Microsoft customers are advised to download the security updates as soon as possible.
IT administrators should also review the FAQ section of each bulletin to make sure that the updates to IE do not conflict with existing Web site features, Toulouse said.