RealTime IT News

Microsoft Patches Trio of Vulnerabilities

Microsoft has issued software patches for three security vulnerabilities, including a flaw in Microsoft Outlook that could lead to the execution of harmful code.

The security fix for the widely deployed Outlook e-mail client, affects Microsoft Office XP Service Pack 2 and Microsoft Outlook 2002 Service Pack 2. Microsoft has tagged the vulnerability with an "important" rating.

In its latest monthly patch release for March, the software giant also fixed an information disclosure hole in the MSN Messenger client and a denial-of-service flaw in Windows Media Services. Both advisories carry a "moderate" rating.

According to the MS04-009 alert, Outlook 2002 could allow the Internet Explorer browser to execute script code in the Local Machine zone on an affected system.

"To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page," the company warned

Microsoft said an attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. A successful exploit could give an attacker access to files on a user's system or the ability to run arbitrary code in the security context of the currently logged-on user.

A separate advisory was issued to warn of a flaw in the MSN Messenger instant messaging product that could leak sensitive user information. Affected versions include MSN Messenger 6.0 and 6.1.

Microsoft said the vulnerability exists because of the method used by MSN Messenger to handle a file request. A successful exploit could let an attacker view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request.

A third advisory comes with a patch for a flaw in Windows Media Services that could cause denial-of-service attacks. The vulnerability affects users running Microsoft Windows 2000 Server Service Pack 2, Service Pack 3, and Service Pack 4.

The bug exists because of the way that certain components of Windows Media Services handle TCP/IP connections. If a remote user were to send a specially-crafted sequence of TCP/IP packets to the listening port of either of these services, the service could stop responding to requests and no additional connections could be made. An affected server would need to be restarted to regain its functionality.