Microsoft Patches IE, Windows, Office Three Critical Vulnerabilities Patched Ed Sutherland
Microsoft released five patches today, three of which it deemed critical, including a highly exploited hole in Internet Explorer.
Thanking more than a half-dozen security researchers for pointing out a hole in its Internet Explorer application, Microsoft released a cumulative patch it said fixes the CreateTextRange vulnerability.
First reported by Copenhangen, Denmark-based Secunia Research, said the flaw could let malicious hackers turn systems using IE 6 into "spam zombies", as another security researcher characterized the threat.
Today's cumulative patch "resolves several vulnerabilities in Internet Explorer that could allow remote code execution," according to Microsoft. The software maker urged IE users to immediately apply the patch.
Prior to the cumulative security fix, several third-party patches were released to combat the vulnerability.
The security bulletin also includes a compatibility patch giving enterprise customers a 60-day reprieve to test Web applications before changes to ActiveX behavior
is made permanent.
The patch affects users of IE 5.01 and IE 6 running Windows XP, Windows Server 2003 and Windows 2003.
Two of today's five security patches involve IE, due mainly to IE's tight integration with other Windows components, Marc Maifret, co-founder of eEye Digital Security, told internetnews.com.
Maifret's company was just one that offered a third-party patch to fill the gap between Microsoft's official IE fix today.
As an example of the security threat posed by IE's integral position in the Windows operating system, Microsoft released a second critical security bulletin involving IE's Data Access Components (MDAC) library.
A vulnerability in the Remote Data Services portion of the library could permit hackers to bypass the browser's security restrictions and enable malicious objects to be run within IE's "Internet Zone."
An attacker could also gain complete remote control of a computer, including the ability to write to a system's hard drive, according to Microsoft.
The third critical patch resolves a newly discovered, privately reported vulnerability in Windows Explorer.
The security flaw could cause a user to connect to a remote file server, allow remote code execution and enable an attacker to take complete control of a system. The attack requires a user to visit a specially crafted Web site, according to Microsoft.
Maiffret said IE 7 will limit these vulnerabilities by creating an opt-in atmosphere where only Web-oriented objects access IE.
The bulletin, deemed important by Microsoft, replaces two prior security updates. The flaw affects Outlook Express 5.5 and Outlook Express 6 on Microsoft Windows XP, Microsoft Windows 2000 and Windows Server 2003.
The flaw involves Outlook Express' use of a Windows Address Book (.wab) file. An attacker could gain complete control of a system. A user would need to be logged in with administrative privileges.
The final security bulletin addresses a "moderately severe" flaw in Microsoft Windows, FrontPage Server Extensions and SharePoint Team Services 2002.
The patch fixes a cross-site scripting vulnerability allowing an attacker to run a local script as a FrontPage Server user, resulting in complete control of a FrontPage Extensions Server, according to Microsoft.
The vulnerability requires a user to click on an e-mail's Web address.
