February 8, 2006
Microsoft (MSFT) on Tuesday warned of two security issues that could put some Windows users at risk of Web attacks and said it is investigating a third possible vulnerability.
By Joris Evers
One security problem is reminiscent of the recent high-profile security woes that affected Windows. It is related to how aging versions of the Web browser Internet Explorer handle malformed Windows Meta File images on the Windows Millennium Edition and Windows 2000 operating systems.
The flaw exists only in IE 5.01 version of the Web browser with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, MFST said in a security advisory. Users could be attacked simply by viewing a malicious image on a Web site, in an e-mail or in an image viewer, MFST said.
"An attacker who successfully exploited this vulnerability could take complete control of the affected system," MFST said in its advisory.
Though the WMF vulnerability may appear similar to previous flaws related to WMF that plagued Windows, the issue is different, MFST said. Last month the software maker rushed out a fix for a WMF rendering flaw that was being exploited to install spyware on the computers of unwitting Windows users.
To remedy this new WMF problem, MFST recommends users upgrade to IE6 with Service Pack 1 and said it may issue a security patch.
In a second security advisory, MFST warned of a problem with overly permissive access controls in Windows XP and Windows Server 2003. The problem exists only in versions that do not have the latest service packs installed, the company said.
The access control issue could be exploited by a user with low privileges to run programs and commands that normally require a higher privilege level, MFST said. The software maker suggests installing Service Pack 2 on Windows XP or Service Pack 1 on Windows Server 2003 to limit exposure, or manually changing access controls on the four affected Windows components.
In addition to the security advisories, a MFST representative on Tuesday said the company is investigating a potential vulnerability in its HTML Help Workshop, a part of the HTML Help Software Development Kit version 1.4.
Attack code that takes advantage of the flaw is publicly available. A successful attack could give an attacker full control over a vulnerable computer, security monitoring company Secunia said in an alert. However, the scope is limited because the vulnerable software is used only by software developers and is not part of Windows, according to MFST.
"MFST's initial investigation has revealed that customers who have not installed the HTML Help SDK on their systems are not impacted by this report," the representative said.
MFST's next "patch Tuesday" is on Feb. 14. The company on Thursday is expected to release some details on what software fixes it will deliver.
Back to the Top