 |
 Microsoft fixes three critical security flaws
November 13, 2003
Microsoft on Tuesday issued patches for vulnerabilities in Internet Explorer, Windows, FrontPage, and Office in the second of its now monthly security bulletins. Of the five flaws, Microsoft rated three as "critical" and one as "important". All who use the affected software should install the patches immediately.
Taken together, the security holes could allow attackers to set up Web pages to take advantage of vulnerable systems and read files or run attack code on a remote user's Windows machine, Microsoft said.
Security Bulletin MS03-048 installs a cumulative patch that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. In addition, it fixes five newly discovered vulnerabilities.
MS03-049 affects Windows 2000 and Windows XP workstations and fixes a critical buffer overrun vulnerability in a Windows service called the Workstation Service, which manages requests for files or printing services on a local area network. That service is turned "on" by default in Windows and could be compromised by an attacker using an improperly formatted network message that was sent to a vulnerable machine. If exploited, an attacker could gain system privileges on an affected system, or could cause the Workstation service to fail.
Another patch, MS03-050, fixes a security hole in some versions of Microsoft's Excel spreadsheet and Word word processing products that could enable an attacker to embed an attack in a small program known as a macro.
The fourth bulletin MS03-051, fixes two critical flaws that were discovered in Microsoft's FrontPage Server Extensions, which are installed by default with the Internet Information Services (IIS) on several versions of Windows 2000 and enables technical staff to create, manage and add features to Web pages.
The final, MS03-052 fixes three flaws in MS Virtual Machine. Virtual Machine is included to most versions of Windows as well as in most versions of Internet Explorer. In order to exploit any of these three vulnerabilities the attacker would need to entice a user into visiting a web site that the attacker controlled. The most serious of the flaws enables an attacker to load and execute any DLL on the user's system. Most likely all users with personal firewalls with DLL-monitoring feature are protected against this flaw.
Microsoft only last month switched to a system of releasing monthly security bulletins, replacing a system of weekly security updates. The company made the change in response to complaints from Microsoft customers about the difficulty of staying on top of the weekly releases, Microsoft said.
|
|
