Microsoft Plugs Code Execution Holes on Patch Day - Page 2

A third patch, MS04-042, corrects two bugs in the DHCP (Dynamic Host Configuration Protocol) Server service that could allow code execution and denial-of-service attacks. The DHCP flaw affects Windows NT Server 4.0 customers.

Microsoft warned that a successful exploit of the DHCP holes could allow an attacker to take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

A separate advisory, MS04-043, was released to stop a buffer overrun found in the Windows HyperTerminal utility. Affected software includes Windows NT Server 4.0, Windows 2000, Windows XP (SP1 and SP2) and Windows Server 2003.

The company warned that an attacker could construct a malicious HyperTerminal session file to launch code on a vulnerable system. "This vulnerability could attempt to be exploited through a malicious Telnet URL if HyperTerminal has been set as the default Telnet client. An attacker who successfully exploited this vulnerability could take complete control of an affected system," according to the advisory.

/zimages/6/28571.gifMicrosoft has scrapped its plans for Windows 2000 SP5. Click here to read more.

The fifth "important" advisory for December, MS04-044, corrects issues in Windows Kernel and LSASS that could allow privilege elevation attacks. Microsoft said a successful exploit could put users at risk of having programs installed or data viewed, deleted or changed.

The company also reissued the MS04-028 advisory, which affected JPEG Parsing (GDI+) in Windows, Office, Graphics Application and Developer Applications subsystem in Microsoft Windows.

The reissue addresses newly available updates for Microsoft Visual FoxPro 8.0 and the Windows .Net Framework 1.0 and 1.1 without Service Pack 1.

Two of the five December bulletins apply to Windows XP Service Pack 2, but the severity rating is reduced to "moderate" for those customers.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.