MS Patch Train Drops Off Critical IE Fix

Redmond ships 10 bulletins to cover a dozen security vulnerabilities, including a pair of code-execution holes in the Internet Explorer browser.

Microsoft on Tuesday released 10 advisories to cover a slew of security flaws in a range of products, including a "critical" cumulative update for the Internet Explorer browser.

Three of the 10 bulletins are rated "critical," the companys highest severity rating.

The IE fix, covered in MS MS05-025, corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files.

According to Stephen Toulouse, program manager in the Microsoft Security Response Center, the flaw could allow an attacker to seize complete control of an affected machine remotely by luring a surfer into visiting a malicious Web site.

This is not the first time that Microsoft has squashed a PNG processing bug in its software. Earlier this year, a critical bulletin was released to correct a similar vulnerability in the Windows Media Player and MSN Messenger products.

The latest IE update also fixes a data leakage that occurs in the way IE handles certain requests to display XML content. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially lead to information disclosure if a user visited a malicious Web site or viewed a malicious e-mail message," Microsoft said.

/zimages/1/28571.gifRead more here about previous problems with PNG processing in Windows software.

A successful attacker could exploit the flaw to read XML data from another Internet Explorer domain. Microsoft said user interaction is required to exploit this vulnerability.

The IE flaws were confirmed on Windows 2000 SP3 and SP4, Windows XP (SP1 and SP2 inclusive), and Windows Server 2003 (including SP1). Patches were also rolled out for users of Windows 98 and Windows ME (Millennium Edition).

The June patch batch also contained "critical" fixes for a vulnerability in HTML Help that puts users at risk of remote code execution attacks. In its MS05-026 bulletin, Microsoft warned that "an attacker who successfully exploited this vulnerability could take complete control of the affected system."

Microsoft HTML Help is the standard help system for the Windows platform. Web developers typically use HTML Help to create online help files for software applications or to create content for multimedia titles or Web sites.

The HTML Help bulletin applies to Windows 98, Windows ME, Windows 2000 (including SP3 and SP4), Windows XP (SP1 and SP2 inclusive) and Windows Server 2003, including SP1.

The company also rated the MS05-027 bulletin, which was detected in the SMB protocol, as "critical" and warned that a successful exploit could allow an attacker to hijack a PC without the users knowledge.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.

The SMB protocol is used to share files, printers and serial ports, and also to communicate between computers. The vulnerability resides specifically in Microsofts implementation of the protocol and not the protocol itself.

Affected systems include Windows 2000, Windows XP and Windows Server 2003.

The June bulletins also include:

  • MS05-028: A remote code execution vulnerability that exists in the way Windows handles Web Client requests. A successful attack could put users at risk of PC takeover, but some user interaction is required. This update is rated "important" and only affects Windows XP and Windows Server 2003.
  • MS05-029: An "important" flaw in Outlook Web Access for Exchange Server 5.5 that puts users at risk of cross-site scripting attacks. The flaw could let an attacker launch a malicious script that would execute in the security context of the targeted user. The bug could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user. It is only applicable to Exchange Server 5.5 customers using Outlook Web Access.
  • MS05-030: A cumulative security update for Outlook Express that carries an "important" rating. This is a remote code execution flaw that exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit the vulnerability by constructing a malicious newsgroup server that could potentially allow remote code execution if a user queried the server for news. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability," Microsoft said.
  • MS05-031: An "important" vulnerability in Step-by-Step Interactive Training, the engine used in titles provided by Microsoft Press and other vendors. Microsoft described this as a "code execution vulnerability" that occurs because of the way that Step-by-Step Interactive Training handles bookmark link files.
  • MS05-032: This update carries a "moderate" rating and affects Microsoft Agent, the interactive software used in computer learning environments. "This is a spoofing vulnerability [that] could enable an attacker to spoof trusted Internet content."
  • MS05-033: This addresses an information-disclosure weakness in Microsofts implementation of the Telnet protocol. "An attacker who successfully exploited this information-disclosure vulnerability could remotely read the session variables for users who have open connections to a malicious Telnet server," the company said. This bug is rated "moderate."
  • MS05-034: A cumulative update for two flaws in the Microsoft ISA (Internet Security and Acceleration) Server 2000. The first bug exists in the way ISA Server 2000 handles malformed HTTP requests. Microsoft warned that attackers could either bypass content restrictions and access content that they would normally not have access to, or they could cause users to be directed to unexpected content. The patch also fixes a privilege escalation flaw in the way the NetBIOS protocol is used by the affected ISA Server.

Microsoft also announced the re-release of three security bulletins—MS05-019, MS02-035 and MS05-004.

/zimages/1/28571.gifRead more here about the faulty MS05-019 update.

The MS05-019 bulletin, first released in April, contains patches that have caused major connectivity problems for network administrators. The connectivity errors range from inability of Exchange servers to talk to their domain controllers; failure of domain controller replication across WAN links; and inability to connect to terminal servers or to file-share access.

The Windows Malicious Software Removal tool has also been updated this month to remove the ASN.1 worm and variants of Spybot, Kelvir, Lovgate and Mytob.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.