Microsoft Issues Five Critical Patches For Windows Vulnerabilities
Altogether, Microsoft's security update, which particularly affects several versions of Windows Vista, in addition to Server 2003 and Server 2008, included critical fixes for Windows Media Format, Transmission Control Protocol/Internet Protocol, ActiveX, Wireless LAN and JScript Scripting engine.
Patches deemed critical indicate that the vulnerability could be exploited remotely with little or no intervention by the user. However, security experts say that they have yet to see active attacks exploiting the vulnerabilities Microsoft patched with its security update.
But that will likely change, experts say. Two of the vulnerabilities that attackers would likely hit up first occur in the way that Windows handles ASF and MP3 media files. The errors, specifically found in Windows Media Format, could allow remote code execution if hackers successfully enticed a victim to open a malicious media file. Malicious code could then be launched that would enable hackers to infiltrate a user's system to steal information.
"We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected," said Ben Greenbaum, senior research manager for Symantec Security Response, in an e-mail.
In addition, Microsoft released several fixes for errors in Windows TCP/IP, two of which could pave the way for hackers to launch targeted denial of service attacks by sending infected TCP/IP packets over the network, causing the system to freeze or automatically restart.
"If you're targeting a corporate network, you could take down some critical services by taking advantage of this vulnerability," said Jason Miller, security and data team manager for Shavlik Technologies. "It would definitely be a targeted attack at that point."
Meanwhile, security experts say that one of the most serious patches included a fix for a critical JScript Scripting engine vulnerability that could allow hackers to launch attacks by enticing victims to open a malicious file or compelling them to visit a malicious Web site that invokes malformed script, typically through some social engineering scheme. Once a user opened the malicious file or was redirected to a dangerous Web site, attackers could download malicious code that could be used to take control of a user's entire machine, usually to steal information or passwords.
In addition, Microsoft released a fix for a critical DHTML Editing component in the ActiveX control that also could infect users' PCs with malicious code if they were to visit a specially crafted Web site.
Miller said that the JScript error and the ActiveX vulnerability would likely have the biggest impact on the average consumer, due to the fact that home users are more likely to inadvertently download a virus or a Trojan while surfing the Web.
"They're going to throw down the Trojan viruses," Miller said. "They could do some really nasty things to [users'] machines."
The Microsoft patch bundle also incorporated a repair for a flaw in Wireless LAN AutoConfig Service that could allow hackers to launch malicious attacks by infiltrating public wireless hot spots, such as coffee shops and airports. However, a successful exploit could only be launched on Vista and Windows Server 2008 machines running wireless cards.