Five Critical Fixes in Latest Microsoft Update

UPDATED: Microsoft released its latest batch of patches Tuesday, addressing a number of vulnerabilities in its software.

April’s “Patch Tuesday” brings fixes to the Windows operating system, Internet Explorer (IE), Messenger, Exchange Server and Word. Microsoft rates five of the flaws “critical” and three “important.”

As promised, Patch Tuesday also marks an end to the automatic block Microsoft had put
in place for Windows XP Service Pack 2. A Microsoft spokesperson said
enterprise users could still block the service pack through the use of a
patch management application.

Windows Server 2003 Service Pack 1 users are not affected by the vulnerabilities, officials said, as the patches were applied before the March 30 launch of the software.

Five of the patches address vulnerabilities that could allow a malware writer to take control of a user’s computer:

• MS05-023 is a critical bug affecting various version of the Windows Word program. If attackers execute a buffer overrun, they can view, change or delete data on the computer.
• MS05-022 addresses a known critical vulnerability in MSN Messenger, originally covered in MS05-009, that affects how the instant messaging program handles PNG image formats. A successful exploit allows the attacker remote control over the PC.
• MS05-021 updates a critical bug found last year in Windows Exchange 2000 to include Exchange 2003 and Exchange 2003 Service Pack 1. The vulnerability stems from a weakness in the way the software’s SMTP component handles DNS lookups.
• All Windows operating system users are affected by MS05-019, a critical TCP/IP vulnerability that allows a malware writer to send a specially-crafted IP or Internet control message protocol (IMCP) message to reset TCP connections or start a DoS attack .
• MS05-016 patches an important vulnerability in the way the Windows shell handles application associations, affecting users logged in with administrative privileges. It replaces MS05-008, the “drag and drop” vulnerability originally released in February.

Microsoft also released a critical cumulative security update, MS05-020, for IE 5 and 6 on most versions of their operating systems. The first patch fixes the way IE handles DHTML objects, Content Advisor files and certain URLs in a Web page created by a malware writer. If a user visits one of those crafted pages, it could allow the attacker to gain control over the machine.

Several vulnerabilities in the Windows kernel were rolled into MS05-018, rated an important patch by Microsoft officials. Vulnerabilities in the way Windows handles fonts, CSRSS and the kernel could give the attacker higher privileges on the network if exploited. A fourth vulnerability, affecting the kernel’s object management, could give the attacker a means to launch a DoS attack.

The last patch, MS05-017, addresses an important vulnerability in message queuing affecting Windows XP, Windows 2000 and Windows 98 users that could give the attacker total control of the system.. Officials only rated it an important patch because, by default, the message queuing component is not installed on the user’s computer.

Microsoft added extra notification services to Windows users in addition to the latest patches. Users can now receive security bulletin notifications through an RSS feed or through their MSN Messenger Alerts. Enterprise users got a boost to their Microsoft Baseline Security Analyzer with the release of a supplemental enterprise-scanning tool.