Microsoft Issues Three Security Fixes on "Patch Tuesday"

by Alex Woodie

Microsoft issued three new security patches for vulnerabilities in the Windows operating system yesterday, the company's first monthly "Patch Tuesday" of 2005. Two of the patches are deemed "critical" and fix problems that had recently been made public, while the third patch fixes an "important" vulnerability that Microsoft was made aware of through private means.

The first patch of the new year, described in Microsoft Security Bulletin MS05-001, fixes a vulnerability in the HTML Help ActiveX control that could allow remote code execution or information disclosure on an affected system when users open a malformed e-mail or a malicious Web page.

This vulnerability, which was described in late December by two security researchers (Paul of Greyhats Security and Michael Evanchik), could enable someone to take complete control of an affected system; to install programs; to view, change, or delete data; and to create new accounts that have full privileges. A Trojan horse virus crafted to exploit this vulnerability, dubbed Trojan.Phel-A by Symantec, had already begun circulating on the Internet.

Microsoft deemed this vulnerability "critical," its most severe security rating, and recommended that users of the following operating systems install the patch immediately: Windows 2000 Service Pack (SP) 3; Windows 2000 SP4; Windows XP SP1 and SP2; Windows XP 64-Bit Edition SP1; Windows XP 64-Bit Edition Version 2003; Windows Server 2003; Windows Server 2003 64-Bit Edition; and Windows 98, Windows 98 Second Edition, Windows Millennium Edition.

The second new patch, described in Microsoft Security Bulletin MS05-002, fixes two problems, including the Cursor and Icon Format Handling Vulnerability and a new Windows Kernel Vulnerability. These vulnerabilities, which were first reported by a team of Chinese researchers over the Christmas holiday (and referred to as the LoadImage API integer buffer overflow and the Windows Kernel ANI vulnerabilities, respectively), could also enable someone to take complete control of an affected system, or to launch a denial-of-service attack, if a user visited a specially crafted Web site or opened a malicious e-mail.

Microsoft also deemed this vulnerability "critical" and recommends that users of the following operating systems install patches immediately: Windows NT Server 4.0 SP6a; Windows NT Server 4.0 Terminal Server Edition SP6; Windows 2000 SP3 and SP4; Windows XP SP1; Windows XP 64-Bit Edition SP1; Windows XP 64-Bit Edition Version 2003; Windows Server 2003; Windows Server 2003 64-Bit Edition; as well as Windows 98, Windows 98 SE, and Windows ME. Windows XP SP2 is not susceptible to these vulnerabilities.

Microsoft Security Bulletin MS05-003 describes the patch for the Indexing Service Vulnerability that could allow an attacker to take over an affected system. This vulnerability, which Microsoft was privately alerted to and had not yet been made public, affects Windows 2000 SP3, Windows 2000 SP, Windows XP SP1, Windows XP 64-Bit Edition SP1, Windows XP 64-Bit Edition Version 2003, Windows Server 2003, and Windows Server 2003 64-Bit Edition. Not affected by this vulnerability are Windows NT Server 4.0 SP 6a, Windows NT Server 4.0 Terminal Server Edition SP6, Windows XP SP2, and Windows 98, Windows 98 SE, and Windows ME.

With the three patches issued yesterday, it appears that Microsoft has patched three of the four Windows flaws that had been brought to light recently (see "More Windows Flaws Found," in last week's issue of The Windows Observer), in addition to one that had not yet been made public. The one vulnerability for which it appears Microsoft has not yet crafted a response to is the winhlp32.exe heap overflow vulnerability.