Microsoft announced patches to correct vulnerabilities addressed in 10 security bulletins, three of them critical, security officials announced Tuesday.
The first is a patch to a vulnerability found in several versions of Internet Explorer (IE) 5 and 6 affecting Windows 98/ME/XP and Windows Server 2003 operating systems.
A remote code execution bug targeting Portable Networks Graphic (PNG) images and XML content, combined with the end user's visiting a malicious e-mail or Web site, would allow the attacker to gain administrative rights over the person's machine.
Microsoft officials also plugged another critical vulnerability aimed at Microsoft's HTML Help function, where an attacker could bypass the software's methods for validating input data. As with the other critical bug, a user would first have to visit a Web site hosting the malicious bug before gaining complete control of the system.
A vulnerability in Microsoft's server message block (SMB), found in all Windows versions, rounds out the critical patches in this month's patch update. SMB is the protocol the Windows platform uses to share files, printers, serial ports and communication with other computers. A successful attack over a corporate network would allow a malware writer to execute code on machines throughout the network.
Mitchell Ashley, CTO of network security vendor StillSecure, said the vulnerabilities patched in this month's update will keep security administrators busy, given the number of vulnerabilities and the number of different operating systems affected.
Recent patch updates also show that despite the considerable effort Microsoft has said it is placing on security, security experts are still finding flaws in new releases of its software.
"Now we're seeing patches not only to older operating systems but now we're seeing fixes that apply to [Windows Server] 2003, fixes that apply to [Windows XP and XP Service Pack 2]," he said. "There are certainly designs to make Longhorn a more secure operating system, but it's too early to tell what the impact of that is going to be and how different it will be from current generations of Windows operating systems."
The other security vulnerabilities covered in the June patch release are:
- A fix to the Web client service affecting several versions of Windows XP and Windows Server 2003 that patches an unchecked buffer, allowing the attacker to take control of the system. For the vulnerability to work, however, the attacker would need a valid login to enter the network.
- An important rated vulnerability for Microsoft Exchange Server 5.5 machines running Outlook Web Access OWA. Security officials discovered a cross-site scripting (XSS) flaw caused by OWA method for encoding HTML when composing a new message form, giving the malware writer access to the user's cookies , monitoring Web sessions or running code already in the system.
- An unchecked buffer in Outlook Express NNTP parsing function rated as important to Microsoft security officials, allowing the attacker to edit or delete data, as well as create new full-rights accounts. The vulnerability affects several versions of Outlook Express 5 and Outlook Express 6 on Windows 2000/XP/Server 2003.
An important flaw affecting Windows 98/ME/2000/XP/Server 2003, where an unchecked buffer used to validate bookmark link files could allow an attacker to gain control of a PC. The user would first have to open an attachment in an e-mail or visit a Web site with the necessary malware for it to take effect.
Three moderate-level vulnerabilities affecting Microsoft's ISA Server 2000, telnet and Microsoft Agent.
The latest security patch follows Microsoft's release of its Windows Server Update Services (WSUS) and Microsoft Update (MU) tools, announced during the company's TechEd conference in Orlando, Fla.
The WSUS tool is part of an update management component of Windows Server 2003 and is designed to help system administrators centralize their patch management and update plans.
During the TechEd conference, Gordon Mangione, vice president of Microsoft's Security Business & Technology Unit, said the WSUS tool gives customers the ability to better secure Windows environments and minimize downtime.
In addition, he said the MU tool is the next generation of the popular Windows Update (WU) service, which helps give customers all the services of Windows Update, but with an Automatic Updates feature so users can choose to automatically install high-priority updates.
Mangione said by mid-July, the company plans to release two other updating tools: Systems Management Server (SMS) 2003 Inventory Tool for Microsoft updates, which integrates with the WSUS scanning engine and MU to provide enterprise customers with a new security update scan tool for enterprise patch management.
Also on tap for release in July is the final and complete version of Microsoft Baseline Security Analyzer (MBSA) 2.0, which he said helps small and medium businesses analyze their security state and detect common security mis-configurations and missing security updates.