Microsoft Patches 3 Critical Flaws Redmond Releases August Installment of Security Patches Jim Wagner
Microsoft released three critical fixes and three moderate-to-important fixes to the Microsoft software platform Tuesday as part of its monthly patch program.
The security bulletins, which normally consolidate several vulnerabilities under the particular software component affected, provide more detail on vulnerabilities that were hinted at last Thursday.
The three critical patches are:
MS05-038 fixes three vulnerabilities affecting Internet Explorer (IE) versions 5 and 6. A JPEG image rendering memory corruption vulnerability, Web folder cross-domain vulnerability, and COM object instantiation memory corruption vulnerability could lead to the malware (define) writer taking control of the user's computer. Users logged in under a non-administrative user name will be less impacted.
MS05-039 deals with a critical vulnerability in Microsoft's Plug-and-Play that could allow an attacker to gain remote control over the user's PC as well as give themselves administrator rights on the machine. The only real remote control danger comes from Windows XP Service Pack (SP) 1 machines since the vulnerability only allows for local machine elevation rights on Windows XP SP2 and Windows Server 2003 systems. However, the vulnerability will allow remote code execution on all three platforms.
MS05-043 corrects a print spooler vulnerability in Windows 2000 SP 4, Windows XP SP 1 and 2, and Windows Server 2003. The vulnerability allows remote code execution by the attacker to take complete control over the machine. Attacks on other Windows platforms, officials said, would likely result in a denial of service (DOS) attack (define).
The Redmond, Wash.-based software giant also released three non-critical security bulletins for August.
A vulnerability in the way the telephony API (define) in Windows Server 2000 SP 4/XP/Server 2003 processes data and permissions could allow an attacker to take control over a person's computer. The vulnerability was not deemed critical because the telephony service is not enabled by default on Windows XP/Server 2003. Also, in Windows Server 2000/2003, the attacker must have a valid logon credentials and log on locally.
A moderate-level vulnerability in Kerberos and PKINIT could allow the attacker to launch a DOS attack, grab information off the user's computer or spoof (define) the address a user is visiting on the Web. A second moderate-level vulnerability takes advantage of a weakness in Microsoft's remote desktop protocol, which would allow the attacker to launch a DOS attack. The vulnerability affects Windows 2000/XP/Server 2003 platforms.
This month's security update also includes definition updates to Microsoft's malicious software removal tool. The v1.7 update will remove Spyboter, Bagz, and Dumaru bugs from a user's system.
