 |
 Microsoft releases fresh patches to plug the existing holes
June 30, 2005
Mid-June, Microsoft had issued three "critical" patches for flaws that could allow a malicious attacker to take remote control of a computer.
The three critical flaws could allow an intruder to take control of a computer, Microsoft has said. The problem in IE is a PNG Image Rendering Memory Corruption vulnerability and affects a range of versions, including IE 6 for Windows XP SP2.
PNG images are seeing a rise in the use in many multimedia presentation formats. The IE vulnerabilities allow fields to be malformed when reading or processing the image. That can result in a buffer overflow and open the system to a remote attacker.
Symantec Security Response's Vincent Weafer said: "The PNG vulnerability is the most significant of the three, this is a file format flaw and it's not something users are thinking of, which is why they need to watch out for it."
Microsoft officials also plugged another critical vulnerability aimed at Microsoft's HTML Help function, where an attacker could bypass the software's methods for validating input data. As with the other critical bug, a user would first have to visit a Web site hosting the malicious bug before gaining complete control of the system.
A vulnerability in Microsoft's server message block (SMB), found in all Windows versions, rounds out the critical patches in this month's patch update. SMB is the protocol the Windows platform uses to share files, printers, serial ports and communication with other computers. A successful attack over a corporate network would allow a malware writer to execute code on machines throughout the network.
The latter two critical vulnerabilities tackled with the Tuesday's release existed on the unpatched systems running WinXP and Win2000 even with all the latest Service Packs applied.
"This is definitely a significant set of patches," said Jimmy Kuo, a McAfee fellow. "We have three remote code execution patches--one being for IE, which is prevalent. The other two are for HTML Help and Server Message block, which are also installed on all PCs with Windows".
Windows users are advised to update their systems via Windows Update site or by enabling the Automatic Updates through the System shortcut under the Control Panel.
|
|
