The software maker released the patch in security bulletin MS05-054, as part of its monthly patching cycle. The update also plugs three other security holes in Internet Explorer, the Web browser component of Windows. One of the other flaws is also deemed critical, but Microsoft said it is not aware of any malicious code that takes advantage of it.
"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft warned in its security bulletin, referring to the two critical IE flaws. The vulnerabilities exist in all currently supported versions of the browser on all editions of Windows.
The browser security update also tackles part of the fallout from Sony BMG Music Entertainment's rootkit debacle. The browser security update will make it impossible to run older versions of an ActiveX control released by the record label. The software was designed to defuse the issues with an antipiracy tool, but was found to have security problems of its own.
Microsoft's patch release prompted security provider Symantec to raise its ThreatCon global threat index to Level 2, which means an outbreak is expected.
The IE flaws could be used to craft a malicious Web site that will automatically download and run code on a vulnerable PC, if the computer owner visits the site. The compromise could happen without the system owner realizing it, Microsoft said.
"These vulnerabilities are increasingly being used to facilitate online fraud through the installation of malicious software on vulnerable computers," Oliver Friedrichs, a senior manager at Symantec Security Response, said in a statement. "Symantec has already seen exploits for some of these vulnerabilities in the wild and recommends that users apply the updates as quickly as possible."
One serious flaw lies in the way IE handles certain document object model methods, a problem originally reported in May. At that time, experts thought it could only be used for a denial-of-service attack that crashed IE. But in November, experts raised an alarm on the issue, after it was discovered that the flaw could be used to remotely run code on a vulnerable computer.
Microsoft itself has warned that the hole is actively being exploited to download malicious code to vulnerable systems. Security-monitoring company Secunia deems the problem "extremely critical," its rarely given highest rating.
The second critical IE bug patched Tuesday is similar to issues addressed in Microsoft's October, August and July security bulletins. This month's update cuts links between IE and other pieces of Microsoft software that the Web browser can call on inappropriately, a technique that could be used to compromise a system, Microsoft said.
Less severe IE problems
The other two IE security holes addressed in the bulletin represent less of a risk, according to Microsoft's ratings. One is related to the way the browser displays the dialog box for file downloads. A PC user who visits a malicious Web site could be tricked into running malicious code because of the problem, the software maker said.
The other issue could let an attacker see which Web sites a PC user is visiting, even if a connection to the site being visited is encrypted (typically shown by an address that start with "https"). This could occur only when the system owner connects to the Internet via a specific kind of proxy server, Microsoft said.
Beyond IE, Microsoft offered a fix for a privilege-elevation flaw in Windows 2000. This flaw could let an attacker take complete control of an affected system, but requires the intruder to have local access to the machine, Microsoft said in security bulletin MS05-055.
Microsoft urges users to apply the patches. Users of Microsoft patching mechanisms, such as Windows Automatic Updates, do not typically need to take action to receive the patches. Microsoft urges other people to download and install the fixes from its Web site.
