On mySimon: DESERT ESSENCE Sunscreen Towelettes
BNET Business Network:
BNET
TechRepublic
ZDNet
34 TalkBacks

By Joris Evers
Posted on ZDNet News: Jan 10, 2006 9:07:00 PM

Microsoft on Tuesday released fixes for two "critical" security flaws, one in Windows and another in the Outlook e-mail client and Exchange mail server.

Both vulnerabilities could allow an attacker to gain complete control over vulnerable PCs or servers running the Microsoft software, the company said in two security bulletins, released as part of its monthly patching cycle.

The Windows problem lies in the way the software processes Web fonts and affects all current versions of the operating system. A vulnerable Windows system could be compromised if the user opened an e-mail or visited a Web site containing a malicious font, Microsoft said in security bulletin MS06-002.

Outlook and Exchange are flawed in the way the applications decode certain e-mail messages, Microsoft said in security bulletin MS06-003. An attacker could craft a malicious e-mail message, and vulnerable systems would be compromised when the message is processed by Exchange or viewed by the Outlook user.

Both vulnerabilities were reported privately to Microsoft, which has not discovered any current cyberattacks that use the flaws as a conduit. Patches to repair the bugs are available via the online bulletins, and the company urges people to install those as soon as possible.

Broken Windows
Tuesday is Microsoft's first official Patch Tuesday of 2006. However, the company broke its monthly patching program last week to deliver a fix for another serious flaw in Windows. That bug, related to the way the operating system renders Windows Meta File images, is being used in exploits, experts have said.

On Monday, two new Windows image problems were reported on a popular e-mail list. Microsoft acknowledged those issues, but said they are performance problems, not security vulnerabilities.

The new Exchange and Outlook vulnerability affects all current versions of the software except Exchange 2003 with Service Pack 1 or Service Pack 2, Microsoft said. The issue is specific to the processing of mail that uses the Transport Neutral Encapsulation Format protocol, used in sending messages in Rich Text Format. For temporary protection, Exchange users could block TNEF, Microsoft suggested.

The Windows problem was discovered and reported by eEye Digital Security, and the Exchange and Outlook flaw was found by Next Generation Security Software.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 34 Talkback(s)
"An exploit exists"
"The exploit apparently exists."

So why did you link to that story. It's doesn't say anything about an exploit existing.... (Read the rest)
Posted by: toadlife Posted on: 01/13/06 You are currently: a Guest | | Terms of Use
Updates installed!  Grayson Peddie | 01/10/06
Zealot logic dictates that these aren't serious  NonZealot | 01/10/06
better tell CERT that, they think it is critical  ~doolittle~ | 01/10/06
This proves that Windows is more secure!!1!!!one!!1  NonZealot | 01/11/06
CERT cyber security alert is where you don't want your listing  ~doolittle~ | 01/11/06
Post-exploit patches? Show me the exploits!  NonZealot | 01/11/06
you just answered your own question  ~doolittle~ | 01/11/06
No, I didn't  NonZealot | 01/11/06
RE: No, I didn't (inverse proprotions explained)  ~doolittle~ | 01/12/06
Hey Doolittle, only one, very simple question  NonZealot | 01/12/06
RE: Hey... I don't have to show anything - CERT says so  ~doolittle~ | 01/12/06
Look again!  NonZealot | 01/12/06
Flaw Could Allow Hacker To 'Own Every Outlook User In The World In A Week'  ~doolittle~ | 01/12/06
"An exploit exists"  toadlife | 01/13/06
Again  Shelendrea | 01/10/06
Ouch!  toadlife | 01/10/06
All it takes is one user to make a mistake  crocd | 01/10/06
Our users don't have...  toadlife | 01/10/06
need a  Shelendrea | 01/10/06
Why not...  SGT_Spam | 01/10/06
Various reasons  toadlife | 01/10/06
I agree with that  crocd | 01/11/06
Read Proof of concept  voska | 01/11/06
link?  toadlife | 01/11/06
Windows takes the lead in CERT Technical Cyber Security Alerts '06  ~doolittle~ | 01/10/06
This proves that Windows is more secure!!1!!!one!1  NonZealot | 01/11/06
the listing shoud be in the summary - not the high-risk listing  ~doolittle~ | 01/11/06
...nice try, you just keep shooting yourself in the foot (nt)  ~doolittle~ | 01/11/06
Why Windows will never be secure  Chad_z | 01/11/06
And if Linux had 95% of the desktop...  3D0G | 01/11/06
Blasphemy!  toadlife | 01/11/06
FLAME ON!  Shelendrea | 01/11/06
Obscure OS's are good for people like you that don't understand security  toadlife | 01/11/06
Calling "Bytemaster"..  jinko | 01/11/06

What do you think?

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More