Microsoft on Wednesday warned of seven new security
holes detected in Windows and Exchange products, five of which carry ‘critical’ ratings.
In keeping with a new strategy to
release security patches on a predictable schedule, Microsoft bundled the
seven fixes into two separate advisories to simplify patch management for IT
admins and end users.
Of the five ‘critical’ flaws, four were found in Windows products and one
in Microsoft Exchange Server. (Advisories and patches available here.
According to a Microsoft spokesman, the monthly advisories would be
issued on the second Tuesday of every month. “That’s the schedule going
forward except for emergencies. If there is a major issue or a dangerous
exploit circulating, we’ll issue patches outside of the monthly schedule,”
the spokesman told internetnews.com.
The company also released Update Rollup 1 for Windows XP to allow
customers to get current on the necessary updates. The rollup, available via
Windows Update, is a cumulative set of hotfixes, security patches, critical
updates, and updates that are packaged together for easy deployment.
The latest fixes from Microsoft includes a patch for a hole in Exchange
Server that could allow arbitrary code execution. Microsoft Exchange Server
5.5 and Microsoft Exchange 2000 Server are both affected.
In Exchange Server 5.5, the company warned that a security vulnerability
exists in the Internet Mail Service that could allow an unauthenticated
attacker to connect to the SMTP port on an Exchange server and issue a
specially-crafted extended verb request. The request could potentially
allocate a large amount of memory and shut down the Internet Mail Service or
could cause the server to stop responding because of a low memory
condition.
In Exchange 2000 Server, a flaw could allow an unauthenticated attacker
to connect to the SMTP port on an Exchange server and issue a
specially-crafted extended verb request. That request could cause a denial
of service that is similar to the one that could occur on Exchange 5.5.
“Additionally, if an attacker issues the request with carefully chosen data,
the attacker could cause a buffer overrun that could allow the attacker to
run malicious programs of their choice in the security context of the SMTP
service,” Microsoft warned.
The company also warned of a ‘critical’ vulnerability in Authenticode
Verification that could allow remote code execution on systems running
Microsoft Windows. Affected products include Windows NT Workstation 4.0,
Windows 2000, Windows XP and Windows Server 2003.
To exploit this flaw, Microsoft said an attacker could host a malicious
Web Site to install and execute an ActiveX control on a susceptible
system.
Fixes have also been issued for a buffer overrun in the Windows
Troubleshooter ActiveX Control (Critical); a buffer overrun in Messenger
Service (Critical); a buffer Overrun in Windows Help and Support Center
(Critical) and a buffer overrun in the ListBox and in the ComboBox Control
(Important).
A patch with a “moderate” rating was also issued for a vulnerability in
Exchange Server 5.5 Outlook Web Access.