"These are exactly what we expected this month, a couple of patches against threats that are 'wormable'," said Mike Murray, the director of research at nCircle, the vulnerability management vendor whose flagship product is IP360.
The first critical flaw is in Windows Server 2003, and in Windows 98, Me, 2000, and XP, including Service Pack 2, the security update that Microsoft rolled out last October. The ancient Windows NT 4.0 is also affected if Internet Explorer 6.0 SP1 has been installed.
A bug in the HTML Help ActiveX control can be exploited by hackers to gain complete control of a compromised PC, said Microsoft, most likely by creating a malicious Web site, then enticing users into viewing that page with e-mail come-ons. Microsoft's HTML Help ActiveX is designed to let Web site designers add site-specific help information to their pages.
The bulletin, dubbed MS05-001, also offered up a long list of possible work-arounds for users who can't patch immediately, but noted that exploits of this vulnerability are already circulating, and urged users to patch pronto.
Another critical vulnerability, spelled out in the MS05-002 bulletin, affects Windows 98, Me, NT, 2000, XP, and Windows Server 2003, and concerns how those operating systems handle cursors, animated cursors, and icons. A determined hacker, said Microsoft, could create a malicious Web site or send e-mail with specially-crafted cursors or icons that would in turn cause the computer to execute the attacker's choice of code or simply crash.
Although the bug has been made public and proof-of-concept code has been spotted on hacker sites, Microsoft claimed that it had no evidence of any actual exploits in the wild. Still, it recommended that users apply the patches immediately.
The third bulletin, labeled MS05-003, is rated by Microsoft as only "Important" in its four-step scale.
"This one was a bit of a surprise," said nCircle's Murray. "Index Server hasn't been a target in the past. It's not enabled by default, and because of that it's almost a waste of time for hackers."
Windows 2000, XP (but not SP2), and Windows Server 2003 are at risk, said Microsoft, because the Indexing Service can be used to gain complete control of a PC. Formerly known as Index Server, the service's original function was to index the content of Internet Information Services (IIS) Web servers, but it's now also used to create indexed catalogs of file systems.
"This could be dangerous in a targeted attack," said Murray directed against a specific company, "but it's not something that will end up as a widespread exploit like MSBlast or Slammer."
Some of the more recent vulnerabilities in Microsoft's products, particularly its Internet Explorer browser, were not included in this month's cycle of patches Murray stepped up to defend Microsoft. "There were some [unpatched] vulnerabilities released publicly, but the [patch] development cycle takes time. There's no way Microsoft has had time to fix these things yet."
Among the disclosed vulnerabilities that weren't patched were a bug in IE's LoadImage API and a long-standing flaw in how IE handles drag-and-dropped objects.
"It takes a month or two to test patches and get them into the products," said Murray. "I expect we'll see [fixes for] these in February."
Tuesday's patches can be obtained through the usual channels: the Windows Update service or direct download from the Microsoft Web site.