Microsoft Fixes First Three Windows Flaws Of 2005 - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
02:57 PM

Microsoft Fixes First Three Windows Flaws Of 2005

Microsoft releases the year's first three security patches for Windows, including two it called "Critical."

Microsoft on Tuesday released the year's first three security patches to Windows, including two it called "Critical," but did not patch all the vulnerabilities that have surfaced in the last several months.

"These are exactly what we expected this month, a couple of patches against threats that are 'wormable'," said Mike Murray, the director of research at nCircle, the vulnerability management vendor whose flagship product is IP360.

The first critical flaw is in Windows Server 2003, and in Windows 98, Me, 2000, and XP, including Service Pack 2, the security update that Microsoft rolled out last October. The ancient Windows NT 4.0 is also affected if Internet Explorer 6.0 SP1 has been installed.

A bug in the HTML Help ActiveX control can be exploited by hackers to gain complete control of a compromised PC, said Microsoft, most likely by creating a malicious Web site, then enticing users into viewing that page with e-mail come-ons. Microsoft's HTML Help ActiveX is designed to let Web site designers add site-specific help information to their pages.

The bulletin, dubbed MS05-001, also offered up a long list of possible work-arounds for users who can't patch immediately, but noted that exploits of this vulnerability are already circulating, and urged users to patch pronto.

Another critical vulnerability, spelled out in the MS05-002 bulletin, affects Windows 98, Me, NT, 2000, XP, and Windows Server 2003, and concerns how those operating systems handle cursors, animated cursors, and icons. A determined hacker, said Microsoft, could create a malicious Web site or send e-mail with specially-crafted cursors or icons that would in turn cause the computer to execute the attacker's choice of code or simply crash.

Although the bug has been made public and proof-of-concept code has been spotted on hacker sites, Microsoft claimed that it had no evidence of any actual exploits in the wild. Still, it recommended that users apply the patches immediately.

The third bulletin, labeled MS05-003, is rated by Microsoft as only "Important" in its four-step scale.

"This one was a bit of a surprise," said nCircle's Murray. "Index Server hasn't been a target in the past. It's not enabled by default, and because of that it's almost a waste of time for hackers."

Windows 2000, XP (but not SP2), and Windows Server 2003 are at risk, said Microsoft, because the Indexing Service can be used to gain complete control of a PC. Formerly known as Index Server, the service's original function was to index the content of Internet Information Services (IIS) Web servers, but it's now also used to create indexed catalogs of file systems.

"This could be dangerous in a targeted attack," said Murray directed against a specific company, "but it's not something that will end up as a widespread exploit like MSBlast or Slammer."

Some of the more recent vulnerabilities in Microsoft's products, particularly its Internet Explorer browser, were not included in this month's cycle of patches Murray stepped up to defend Microsoft. "There were some [unpatched] vulnerabilities released publicly, but the [patch] development cycle takes time. There's no way Microsoft has had time to fix these things yet."

Among the disclosed vulnerabilities that weren't patched were a bug in IE's LoadImage API and a long-standing flaw in how IE handles drag-and-dropped objects.

"It takes a month or two to test patches and get them into the products," said Murray. "I expect we'll see [fixes for] these in February."

Tuesday's patches can be obtained through the usual channels: the Windows Update service or direct download from the Microsoft Web site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Flash Poll