Ten Patches Fix 12 Windows Flaws This Patch Tuesday

by Alex Woodie

Microsoft yesterday unveiled a bumper crop of 10 patches to fix a dozen vulnerabilities affecting its Windows operating system and associated applications. Three of the patches are considered critical. They fix security flaws that previously had not been reported. Windows Server 2003 gets seven fixes for eight flaws, while Windows 98, SE, and ME users get no patches for several flaws because they aren't considered critical.

Microsoft is fixing two security flaws in Internet Explorer--one critical, one moderate--that affect nearly every PC and server version of Windows since Windows 98 as part of its Security Bulletin MS05-025. The critical flaw fixed by this security bulletin, the previously undisclosed PNG Image Rendering Memory Corruption Vulnerability, could permit a hacker to execute the code of their choosing on affected systems. The other flaw, called the XML Redirect Information Disclosure Vulnerability, could lead to the disclosure of private information on affected systems. The XML flaw, which had been made public before yesterday, ranks as a moderate threat on all systems, except Windows Server 2003, where Microsoft says it poses a low threat.

A previously undisclosed, critical vulnerability in how Windows handles HTML Help files is being addressed with Security Bulletin MS05-026. This flaw, which could permit an attacker to gain complete control of Windows 98, Windows 2000, Windows XP, and Windows Server 2003 systems, ranks as only a moderate threat on Windows Server 2003 systems with Service Pack 1 (SP1) installed.

Security Bulletin MS05-027 fixes a previously unreported, critical flaw in Microsoft's implementation of Server Message Block (SMB), a standard Internet protocol used to share files, printers, serial ports, and to communicate between computers, which could let a hacker take complete control of an affected system by passing a malformed SMB message. This vulnerability affects Windows 2000 and 32-bit and 64-bit versions of Windows XP and Windows Server 2003; Windows 98 and ME are not affected.

A previously unreported flaw in the way Windows processes Web Client requests could open the door for a hacker gain control of an affected system, but it has been addressed with Security Bulletin MS05-028. This flaw is considered a moderate threat, and only affects Windows XP SP1, the SP1 and 2003 versions of Windows XP for Itanium, Windows Server 2003, and Windows Server 2003 for Itanium. None of the operating system updates Microsoft has shipped since Windows XP SP2--which provided the security foundation for Windows Server 2003 SP1 and the X64 versions of Windows Server 2003 that shipped this spring--are affected by this flaw.

Customers running Outlook Web Access for Exchange Server 5.5 should pay attention to Security Bulletin MS05-029, which patches a moderate cross-site scripting vulnerability in Exchange Server 5.5 Service Pack 4. This previously undisclosed vulnerability could result in a server takeover if an attacker convinces a user to run a malicious script.

Security Bulletin MS05-030 provides a cumulative security update for Outlook Express, and patches a previously unreported buffer overflow flaw in Microsoft's implementation of the Network News Transfer Protocol (NNTP) parsing function in Outlook Express. It could allow an evil doer to take control of the computer when an Outlook Express user queries a news server for news.

The newly discovered Interactive Training Vulnerability in nearly all Windows versions since Windows 98 is fixed with the patch provided in Security Bulletin MS05-031. This unchecked buffer flow vulnerability leaves users unprotected from an attacker who gains complete control of a computer running the Step by Step Interactive Training, which is used by Microsoft Press for many of its training programs. Because this flaw only ranks a moderate, Microsoft won't be providing a fix for Windows 98, 98 SE, and ME. Microsoft only offers support for critical security problems for these operating systems at this stage of those products' lifecycles.

A previously unreported spoofing threat has been fixed with Security Bulletin MS05-032. This spoofing flaw affects nearly all versions of Windows since Windows 98, and could lead users to visit a malformed Web site. Because Microsoft ranks it as a moderate danger, it will not be providing a patch for older versions of the operating system.

Security Bulletin MS05-033 describes a previously unreported vulnerability in the company's Telnet client that could lead to a loss of information. Microsoft says this moderate vulnerability, which affects nearly every operating system except for Windows 98, ME, and 2000 SP3 and SP4, could allow an attacker to read the session variables of a Telnet user who connects to a malformed Telnet server.

Microsoft is fixing two flaws as part of a cumulative update to its Internet Security and Acceleration (ISA) Server 2000 (and Small Business Server 2003 Premium Edition, which includes ISA Server 2000) with Security Bulletin MS05-034. This update fixes the previously disclosed HTTP Content Header Vulnerability and NetBIOS Predefined Filter Vulnerability, which had not yet been made public. Either of these flaws could lead to an elevation of privilege to hackers exploiting these flaws.