For the third successive month, Microsofts Internet Explorer browser has been updated to correct security holes that could put millions of Web surfers at risk of code execution attacks.
The cumulative IE update headlines the August release of six security bulletins from the software maker to cover eight vulnerabilities in its flagship Windows operating system. Three of the six bulletins are rated “critical,” the companys highest severity rating.
According to the MS05-038 bulletin, three separate remote code execution flaws are addressed in the worlds most widely used browser.
First up is a vulnerability in the way IE handles JPEG images. An attacker could exploit the vulnerability by creating a malicious JPEG image and luring a Web surfer to view the image.
“An attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company warned, adding that the malicious image could also be distributed via e-mail.
The bulletin also includes patches for a cross-domain flaw in IE that could lead to system takeover and information disclosure attacks. A malicious hacker could build a Web page and launch a successful attack by getting an IE user to visit the page. However, significant user interaction and social engineering are required to exploit this vulnerability, Microsoft Corp. said.
A third remote code execution bug was found in the way the browser instantiates COM Objects that are not intended to be used in Internet Explorer. This flaw could also be exploited by an attacker to take “complete control” of an unpatched system, Microsoft warned.
The IE flaws affect users of Windows 98, Windows Me, Windows 2000, Windows XP (Service Pack 2 inclusive) and Windows Server 2003.
According to Oliver Friedrichs, senior manager at Symantec Corp.s Security Response, the IE update should be treated as a high-priority patch. “The potential for graphical image-based exploits is especially concerning as it affects multiple applications and requires no user interaction,” Friedrichs said, warning that the flaws can be exploited to install spyware, Trojan horses and bots to steal confidential data.
Microsoft also shipped the MS05-039 bulletin with patches for an unchecked buffer in the Windows Plug and Play service. The vulnerability, which carries a “critical” rating, could allow remote code execution and local privilege escalation attacks.
Plug and Play, or PnP, is a feature that allows the operating system to detect new hardware installed on a system. For example, when a user installs a new mouse on a PC, PnP allows Windows to detect it and load the needed drivers.
The bug affects Windows 2000, Windows XP and Windows Server 2003 users.
A third “critical” bulletin, MS05-043, was also released to address a “wormable” flaw in the Windows Print Spooler Service.
The bug is described as an unchecked buffer that could let an attacker take control of a vulnerable machine to install programs; view, change or delete data; or create new accounts with full user rights. However, Microsoft said it believes most attempts to exploit this vulnerability would most likely result in a denial-of-service condition.
The Print Spooler service, or Spoolsv.exe, is an executable file that is installed as a service and loaded when the operating system starts. The file runs until the operating system is shut down and is used to manage the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job and scheduling print jobs.
As expected, the August patch batch also includes a fix for a known denial-of-service vulnerability in RDP (Remote Desktop Services), a feature that allows XP users to remotely control computers from another office, from home or while traveling.
Moments after Microsoft issued its patches for the RDP flaw, the research company credited with reporting it released a proof-of-concept exploit to show how a specially crafted RDP packet could crash an unpatched system.
“The reason I released the [proof of concept] is so that other researchers like myself can check out the bug, and maybe there is possibly a variant of this flaw that can be exploited,” said Tom Ferris, a researcher at Security-Protocols.com.
Microsoft typically frowns on the release of exploit code so soon after a patch is available, but Ferris told Ziff Davis Internet News that the publication of the exploit is more helpful than harmful.
“I believe that Microsoft will frown on everything that puts a negative spin on their products,” he said.
The August bulletins also include:
- MS05-040: Patches for an “important” remote code execution flaw in the way Windows uses the TAPI (Telephony Application Programming Interface). The API is used to integrate telecommunications with the operating system and supports both traditional and IP telephony to provide voice, data and video communication. Affected software and operating systems include Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows Millennium Edition.
- MS05-042: Fixes for a moderately critical vulnerability in Kerberos that could allow denial-of-service, information disclosure and spoofing attacks. The flaw could allow an attacker to send a specially crafted message to a Windows domain controller to crash the service responsible for authenticating users in an Active Directory domain.