RealTime IT News

Microsoft Issues First Monthly Security Alert

Microsoft on Wednesday warned of seven new security holes detected in Windows and Exchange products, five of which carry 'critical' ratings.

In keeping with a new strategy to release security patches on a predictable schedule, Microsoft bundled the seven fixes into two separate advisories to simplify patch management for IT admins and end users.

Of the five 'critical' flaws, four were found in Windows products and one in Microsoft Exchange Server. (Advisories and patches available here.

According to a Microsoft spokesman, the monthly advisories would be issued on the second Tuesday of every month. "That's the schedule going forward except for emergencies. If there is a major issue or a dangerous exploit circulating, we'll issue patches outside of the monthly schedule," the spokesman told internetnews.com.

The company also released Update Rollup 1 for Windows XP to allow customers to get current on the necessary updates. The rollup, available via Windows Update, is a cumulative set of hotfixes, security patches, critical updates, and updates that are packaged together for easy deployment.

The latest fixes from Microsoft includes a patch for a hole in Exchange Server that could allow arbitrary code execution. Microsoft Exchange Server 5.5 and Microsoft Exchange 2000 Server are both affected.

In Exchange Server 5.5, the company warned that a security vulnerability exists in the Internet Mail Service that could allow an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted extended verb request. The request could potentially allocate a large amount of memory and shut down the Internet Mail Service or could cause the server to stop responding because of a low memory condition.

In Exchange 2000 Server, a flaw could allow an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted extended verb request. That request could cause a denial of service that is similar to the one that could occur on Exchange 5.5. "Additionally, if an attacker issues the request with carefully chosen data, the attacker could cause a buffer overrun that could allow the attacker to run malicious programs of their choice in the security context of the SMTP service," Microsoft warned.

The company also warned of a 'critical' vulnerability in Authenticode Verification that could allow remote code execution on systems running Microsoft Windows. Affected products include Windows NT Workstation 4.0, Windows 2000, Windows XP and Windows Server 2003.

To exploit this flaw, Microsoft said an attacker could host a malicious Web Site to install and execute an ActiveX control on a susceptible system.

Fixes have also been issued for a buffer overrun in the Windows Troubleshooter ActiveX Control (Critical); a buffer overrun in Messenger Service (Critical); a buffer Overrun in Windows Help and Support Center (Critical) and a buffer overrun in the ListBox and in the ComboBox Control (Important).

A patch with a "moderate" rating was also issued for a vulnerability in Exchange Server 5.5 Outlook Web Access.