Microsoft Issues Six Security Patches for Windows

by Alex Woodie

Microsoft yesterday posted six patches to fix nine security vulnerabilities affecting certain versions of Windows Server 2003, Windows 2000, and Windows XP. The monthly volley of patches for August, which includes three patches that Microsoft deems critical, includes a patch for the flaw in its Remote Desktop Protocol that was discovered last month, as well as a fix for the Windows version of the Kerberos authentication mechanism.

Microsoft's Security Bulletin MS05-038 is a cumulative security update for Internet Explorer versions 5 and 6 that Microsoft deems critical for most desktop and server editions of Windows since Windows 98. This update includes patches for several newly discovered vulnerabilities, including the JPEG Image Rendering Memory Corruption Vulnerability; which could let attackers gain control of an affected system; the Web Folders Behaviors Cross Domain vulnerability, which could lead to involuntary information disclosure when a viewer visits a malformed Web page; and the COM Object Instantiation Memory Corruption vulnerability, which could let attackers gain control of an affected system following a visit to a maliciously created Web page.

Security Bulletin MS05-039 fixes a critical problem in the plug and play (PnP) component of several operating systems, including Windows Server 2003, Windows 2000, and Windows XP, that could allow an attacker to gain total control of an affected system and give them elevated rights. This is a critical vulnerability only for Windows 2000; it rates an "important" rating on Windows XP and Windows Server 2003 operating systems, because an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Security Bulletin MS05-040 describes and patches a problem in Telephony Application Programming Interface (TAPI) that could allow an attacker to take control of an affected system. This newly discovered, privately reported vulnerability, which is formally called the Telephony Service Vulnerability, affects Windows 2000, Windows XP, and Windows Server 2003 operating systems, and is rated "important."

Microsoft has patched the recently discovered flaw in its Remote Desktop Protocol (RDP) with Security Bulletin MS05-041. The RDP flaw, which Microsoft was made aware of in May but which hit the general public's radar only in July (see "RDP Flaw Exposes Windows to DOS Attacks"), opens Windows XP, Windows 2000, and Windows Server 2003 operating systems up to denial of service (DOS) attacks, and was given a "moderate" rating.

Security Bulletin MS05-042 fixes a pair of recently disclosed vulnerabilities in Kerberos, an authentication mechanism developed by the Massachusetts Institute of Technology that is used in single sign-on (SSO) environments. While it was initially believed that Microsoft's Windows implementation of the open-source Kerberos code was not subject to the same vulnerabilities as MIT's standard code, that appears to not be the case--or, in the very least, the two versions are not different enough to provide Windows protection from the flaws. The Kerberos flaws open Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 systems to DOS, spoofing, and potential loss of information.

The final patch, Security Bulletin MS05-043, fixes a "critical" vulnerability in the print spooler service of some editions of Windows XP, Windows 2000, and Windows Server 2003 that could allow an attacker to gain complete control of the computer. The Print Spooler Vulnerability does not affect the following operating systems: Windows XP Pro X64; Windows Server 2003 Service Pack 1 (SP1); Windows Server 2003 SP1 for Itanium; Windows Server 2003 for X64; and Windows 98, ME, and SE.