Microsoft Warns Of Multiple Critical Vulnerabilities

But that was only the beginning. At the same time, Microsoft also issued two additional bulletins that noted critical vulnerabilities in the database connectivity component of Windows, and within DirectX, the multimedia APIs used by Windows to run graphics, video, audio, and 3D applications.

The continued wave of Microsoft's vulnerabilities is disappointing, said Michael Cherry, a senior analyst with Directions on Microsoft, and challenges Microsoft's attempt to convince users that it's making progress on its Trustworthy Computing imitative, an company-wide effort to tighten up security in its products.

"Expectations were that the rate of security incidents would have fallen by now, since Microsoft made such a point about how much it spent on reviewing the Windows code," he said.

Last year, as part of Trustworthy Computing, Microsoft took time off development to review the code of its operating systems, applications, and tools in a search for security holes.

id
unit-1659132512259
type
Sponsored post

The critical vulnerabilities in Internet Explorer affect IE 5.01, 5.5, and 6.0, and could result, said Microsoft, in an attacker running malicious code on the system if the user browses to a specially-crafted Web site or opens a link to such a site contained in an e-mail message.

IE 6.0 on Windows Server 2003, Microsoft's newest server software, is also vulnerable, although there the Redmond, Wash.-based developer rated the flaw as only 'moderate' due to the default configuration of the server software, which prevents such attacks.

The first of the critical holes in IE can result in a buffer overrun in an ActiveX control within the now-obsolete Windows Reporting Tool. The patch sets the Kill Bit on the BR549.DLL ActiveX control, disabling the ActiveX component and preventing it from being re-installed.

The second critical vulnerability stems from IE's mishandling of object tags in HTML pages. When the browser encounters an object tag and then calls for a file from a Web server, it doesn't properly check that the file received is the correct type. An attacker could take advantage of the flaw by hosting a specially-made Web site, getting users to visit it, then force IE to execute a file of their own choosing. That could give the intruder full access to the machine, or allow him to take any action -- including deleting files -- that's available to the real user.

Microsoft issued patches for the IE vulnerabilities on its TechNet Web site ; as usual, the patches can also be downloaded using WindowsUpdate.

Included in the patch is another fix -- this one for a vulnerability tagged 'important' by Microsoft -- that corrects a flaw in the way the browser checks the originating domain when looking for local files in the browser cache. An attacker could load malicious script code onto a system by compromising the security IE's My Computer zone. Again, by enticing users to a Web site, the attacker might be able to load such code to execute on the machine, or run a file already on the PC.

In two separate bulletins -- both follow-ups to earlier warnings -- Microsoft noted vulnerabilities within the MDAC component of Windows and inside virtually all versions of DirectX.

MDAC, which stands for Microsoft Data Access Components, is used by the OS to provide database connectivity.

This vulnerability has to be particularly embarrassing to Microsoft, for it was originally released in July, 2002. At that time, however, Microsoft believed it stemmed from a command specific to SQL Server. Now it says the flaw is actually within the underlying MDAC component OCBC, which is present in all versions of Windows.

To paint its face even more red, Microsoft admitted that the original patch didn't install correctly on some systems because of an error in the way Windows Installer updated the System File Protection cache.

Microsoft's now extended the vulnerability -- and provided a patch it swears will install correctly -- to MDAC inside Microsoft Windows 2000, Office 2000 SR1 and later, Windows XP, and Visual Studio .Net.

The company rated this flaw as 'critical,' its highest threat level. Fixes can be found on the TechNet site or obtained by using WindowsUpdate.

"This is a really bad one," said Cherry. "Microsoft says they're going to turn on AutoUpdates, and make it mandatory to download and install patches. But this is a poster child for why that's a bad idea."

DirectX should also be patched immediately or upgraded, said Microsoft. A flaw in versions of DirectX going back as far as 5.2 could permit an attacker to run programs on a machine compromised by a malicious MIDI audio file hosted on a Web site or posted to a network share. Virtually all editions of DirectX are at risk. Wednesday's alert is a follow-on to one originally posted July 23, but has been updated to include DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b, which it now says is also vulnerable.

Users can obtain the DirectX patch from the TechNet Web site ; concurrently, Microsoft released DirectX 9.0b, an update which includes the security fix that can be installed on all supported versions of Windows except for Windows NT 4.0.

Cherry pointed to the DirectX flaw as a good example of what Microsoft should have uncovered much earlier.

"We're still seeing problems that we would have hoped the code review would have caught," he said. "I'm surprised that the code review didn't catch that."

Even so, Cherry gave Microsoft a passing grade. "They still have a ways to go, but it's so much better than it was a year ago," he said.

This story courtesy of TechWeb.