A week after rushing out an emergency patch for the Windows .ANI vulnerability, Microsoft fixed six additional flaws in its monthly Patch Tuesday release.
The Redmond, Wash.-based software giant gave five of the flaws its highest rating of "critical."
A client remote code execution vulnerability in Microsoft Agent that affects its processing of specially rigged URLs is the most serious of the flaws, said Vince Hwang, group product manager at Symantec's Security Response division.
The vulnerability, which affects the Microsoft Agent ActiveX component of Microsoft Windows 2000, Windows XP and Windows Server 2003, could enable an attacker to gain complete control over a victim's PC, which usually results in theft of confidential data and loading of malicious software for subsequent attacks, Hwang said.
For instance, an attacker could set up a Web page rigged with the exploit code and lure unsuspecting victims to the site through phishing e-mails, pop-ups or redirects, he said.
Though the Microsoft Agent flaw has the potential to be as severe as the .ANI file vulnerability, its impact is limited somewhat because exploits have yet to appear in the wild, although that could change quickly, Hwang said. Internet Explorer 7 users have a degree of protection from the vulnerability because they have to opt-in to get ActiveX running on the machine, he added.
Microsoft also patched a serious remote code execution flaw in its Client Server Runtime Server Subsystem (CSRSS). According to Hwang, the flaw is significant because CSRSS is downloaded by default and because it affects Windows Vista, in addition to Windows 2000, Windows XP and Windows Server 2003.
In addition, Microsoft fixed critical flaws in the Universal Plug and Play service and Content Management Server and issued a patch covering several different vulnerabilities, including a privilege escalation flaw in the Windows Graphics Rending Engine and the Windows animated cursor (.ANI) vulnerability.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Microsoft Plans Emergency Patch For .ANI Bug
- Microsoft Deals With Windows Bug; More On The Way
- Microsoft Shows Its Love In Valentine's Day Patch Release
- Worker Abuse Protest Targets Apple, Supplier Foxconn
- Microsoft Taps Cisco Exec To Manage Public Sector Business
- Microsoft Sets Feb. 29 For Windows 8 Consumer Preview Release
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
