Microsoft Patches JVIEW Profiler Flaw

by Alex Woodie

Microsoft issued three critical security patches yesterday, including two that fix security holes in Windows Server 2003 and other operating systems, and one that protects a potential problem within Microsoft Word. Included in the monthly Patch Tuesday announcement for July is a fix for the recently reported JVIEW Profiler vulnerability in Internet Explorer, which Microsoft partially addressed with a download last week.

Microsoft is addressing the JVIEW Profiler Vulnerability in Internet Explorer 6.0 with Security Bulletin MS05-037. The JVIEW Profiler Vulnerability, which the US-CERT publicly disclosed July 2, rears its ugly head when Internet Explorer tries to instantiate the JVIEW Profiler (Javaprxy.dll) COM object as an ActiveX control. When this happens, the JVIEW Profiler debugger, which was not meant to run as a COM component in IE in the first place, may corrupt system memory in such a way that an attacker could execute arbitrary code, CERT says.

The JVIEW Profiler Vulnerability affects computers running the X86, X64, and Itanium versions of Windows Server 2003 and Windows Server 2003 SP1, as well as Windows XP SP1 and SP2, Windows 2000, and Windows 98, SE, and ME. Users are encouraged to download the patch immediately.

Microsoft Security Bulletin MS05-036 fixes the Color Management Module Vulnerability in various versions of Windows that could allow attackers to take over the computer if a user with administrative privileges viewed a malformed Web site or e-mail message. Users running the original version of Windows Server 2003, Windows Server 2003 Service Pack 1, Windows XP SP1 and SP2, Windows 2000, or Windows 98, SE, and ME are encouraged to download the patch immediately.

Of lesser importance to Windows server shops is Microsoft Security Bulletin MS05-035, which fixes a critical problem in the way that Word parses fonts and could allow an attacker to run code on an affected computer. The vulnerability affects Word 2000, Word 2002, and versions of Word that ship with Microsoft Works Suite, but does not affect the version of Word that ships with Office 2003 or the viewer.

Yesterday's updates were part of regular monthly cycle of patches by Microsoft that has become known as Patch Tuesday. This month's haul of patches was considerably lighter than the one last month, when Windows users had nearly a dozen patches to choose from to fix an array of problems (see Ten Patches Fix 12 Windows Flaws This Patch Tuesday").