Fixes in for critical IE, Windows flaws

By Dawn Kawamoto, News.com
Posted on ZDNet News: Jun 14, 2005 8:18:00 PM

Microsoft on Tuesday issued three "critical" patches for flaws that could allow a malicious attacker to take remote control of a computer.

One fix deals with vulnerabilities in Internet Explorer, while the others tackle problems with HTML Help and Server Message Block in the Windows operating system. The security bulletins were three of 10 released by the software giant as part of its monthly patch cycle.

"This is definitely a significant set of patches," said Jimmy Kuo, a McAfee fellow. "We have three remote code execution patches--one being for IE, which is prevalent. The other two are for HTML Help and Server Message block, which are also installed on all PCs with Windows"

The other security bulletins included four rated "moderate" that affect Windows and the Exchange e-mail server. Three "important" alerts address problems in Windows, Windows Services for Unix, Internet Security and Acceleration Server and Small Business Server.

Microsoft's rating system deems a security issue as critical--its highest ranking--if it could enable a worm to spread without any action from the PC user. Important flaws are those that could compromise people's data or threaten system resources, while the risk from moderate security holes can be restricted by measures such as configuring the default.

The three critical flaws could allow an intruder to take control of a computer, Microsoft said. The problem in IE is a PNG Image Rendering Memory Corruption vulnerability and affects a range of versions, including IE 6 for Windows XP Service Pack 2.

PNG images are similar to JPEGs and are used in many multimedia formats. The IE vulnerabilities allow fields to be malformed when reading or processing the image. That can result in a buffer overflow and open the system to a remote attacker.

"The PNG vulnerability is the most significant of the three," said Vincent Weafer, a senior director at Symantec Security Response. "This is a file format flaw and it's not something users are thinking of, which is why they need to watch out for it."

The Windows HTML Help vulnerability affects Windows XP Service Packs 1 and 2, Windows 2000 Service Packs 3 and 4, and other versions and service packs.

Although the server message block could let an intruder into a PC, the attacker needs to get authentication on the system to exploit the vulnerability. Among the Windows versions threatened by the flaw are Windows XP Service Packs 1 and 2 and Windows 2000 Service Packs 3 and 4.

Microsoft gave IT administrators a heads-up about the fixes last week as part of its prenotification process. It said it expected "at least one" critical vulnerability among the 10 bulletins that were coming.

Last month, Microsoft's monthly patch cycle contained less severe vulnerabilities, as it issued only one important fix for its Windows 2000 Service Packs 3 and 4. The flaw would allow a malicious attacker to execute arbitrary code and take over users' computers if they were persuaded to view a malicious file.

Talkback
Most Recent of 65 Talkback(s)

Thread View
Flat View

Mepis is the short bus of linux distros: http://www.informit.com/bookstore/product.asp?isbn=0131488... (Read the rest); Posted by: Jeff the god of biscuits Posted on: 07/18/05 You are currently: Logged In | Log out

Fixes in for critical IE, Windows flaws Loverock Davidson | 06/14/05

Sounding more and more like Mike stormdoor | 06/14/05

i was gonna say... :P linuxoverwindows | 06/14/05

Hey "fanboy", you don't mind if I use your term huh?... Colonel_Panic | 06/14/05

Mepis is the short bus of linux distros Jeff the god of biscuits | 07/18/05

Minimal time my foot! Jiim_z | 06/14/05

Error in article: moderate vs. important PB_z | 06/14/05

Everything needs patches... Xunil_Sierutuf | 06/14/05

No. The software is too complex... Poser | 06/14/05

I agree, but it probably could be improved maddoghall | 06/14/05

Bad use of words ZDNet! zdnetspam | 06/14/05

A real patch klmmicro | 06/14/05

Message has been deleted. linuxoverwindows | 06/14/05

Warning! d_jedi | 06/14/05

check yo hed. linuxoverwindows | 06/14/05

I went to 'home' at your site and saw... Colonel_Panic | 06/15/05

that vid is a great pick me up linuxoverwindows | 06/19/05

Ballmer IS a loser. Here is proof Jeff the god of biscuits | 07/18/05

good old days DemonX | 06/15/05

Look at this website bill.washington@... | 06/16/05

cool, another tweakui. lol linuxoverwindows | 06/19/05

Microsoft faults for X-Pee originalpatricia | 06/14/05

Does this mean that you still drive a...... magpie_z | 06/14/05

i drive a... linuxoverwindows | 06/14/05

This is for all the Windows and Linux losers.. err I mean Zelots. Jeff the god of biscuits | 06/14/05

Hardy farken har har, cute... Colonel_Panic | 06/14/05

spelling robshome@... | 06/15/05

Two kinds of code j.tavares@... | 06/14/05

How do they release the patch before the exploit? ThinkAboutIt | 06/14/05

The 7-Year Itch ... (FireFox Flaw) PMC-CON | 06/14/05

Third Choice WarHippy | 06/14/05

The exploit news is not released until..... magpie_z | 06/14/05

I like it better the old way..... WarHippy | 06/14/05

Actually IT Scion | 06/14/05

Not true rapson | 06/15/05

Patches, errors, etc. jvb123@... | 06/14/05

svchost WarHippy | 06/14/05

In a related story... Colonel_Panic | 06/14/05

Will the flaws ever end? Paul G. | 06/14/05

Buffer overflow? aramael | 06/14/05

Not sure then IT Scion | 06/15/05

Why am I the only one that can't update? DarbyOhara | 06/15/05

Windows IE patches haha jackie40d@... | 06/15/05

Unless IT Scion | 06/15/05

Must read! Reverend MacFellow | 06/15/05

Interesting read IT Scion | 06/15/05

interesting...but BlinkMM182 | 06/15/05

the author hasn't got a clue... JoeMama_z | 06/15/05

Some corrections to author! Reverend MacFellow | 06/15/05

days are numbered PA-ITGuy | 06/16/05

Not while Steve has breath in his body. mustangj36@... | 06/15/05

Flaws buhda@... | 06/15/05

The Old Analogy of Thieves Breaking In Rumpled_Foreskin | 06/15/05

Ouch Reverend MacFellow | 06/15/05

Nothing will happen because mustangj36@... | 06/15/05

Back when Apple had 10%+ marketshare PA-ITGuy | 06/16/05

ONLY THREE?!!!!! CobraA1 | 06/15/05

THIS STORY LINGERING IS PROOF... Colonel_Panic | 06/17/05

Fixes break IP on my PC bsvee | 06/17/05

Recent Microsoft Fixes Are Not the Problem karl0318@... | 06/17/05

Been there, done that. bsvee | 06/20/05

Of course not mo-bill@... | 06/17/05

Please someone come up with another operating system sueconcord | 06/17/05

RE: Please someone come up with a new OS laci2126 | 06/19/05

Firefox coding? emcee_z | 07/18/05

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Whitepapers & Webcasts

Executive Report: The Path to Sales Effectiveness AchieveGlobal
Avoiding the Compliance Trap for Travel and Expenses Concur Technologies
Enabling Software as a Service OpSource
Microsoft Startup Center - Where new businesses get started Microsoft
A Step-by-Step Guide to Starting Up SaaS Operations OpSource
One Touch Business Travel and the End of the Expense Report Concur Technologies

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry