Patch Tuesday: Microsoft Fixes Five Critical Bugs

The Redmond, Wash.-based software giant gave five of the flaws its highest rating of "critical."

A client remote code execution vulnerability in Microsoft Agent that affects its processing of specially rigged URLs is the most serious of the flaws, said Vince Hwang, group product manager at Symantec's Security Response division.

The vulnerability, which affects the Microsoft Agent ActiveX component of Microsoft Windows 2000, Windows XP and Windows Server 2003, could enable an attacker to gain complete control over a victim's PC, which usually results in theft of confidential data and loading of malicious software for subsequent attacks, Hwang said.

For instance, an attacker could set up a Web page rigged with the exploit code and lure unsuspecting victims to the site through phishing e-mails, pop-ups or redirects, he said.

Though the Microsoft Agent flaw has the potential to be as severe as the .ANI file vulnerability, its impact is limited somewhat because exploits have yet to appear in the wild, although that could change quickly, Hwang said. Internet Explorer 7 users have a degree of protection from the vulnerability because they have to opt-in to get ActiveX running on the machine, he added.

Microsoft also patched a serious remote code execution flaw in its Client Server Runtime Server Subsystem (CSRSS). According to Hwang, the flaw is significant because CSRSS is downloaded by default and because it affects Windows Vista, in addition to Windows 2000, Windows XP and Windows Server 2003.

In addition, Microsoft fixed critical flaws in the Universal Plug and Play service and Content Management Server and issued a patch covering several different vulnerabilities, including a privilege escalation flaw in the Windows Graphics Rending Engine and the Windows animated cursor (.ANI) vulnerability.