Microsoft Patches IE, Windows, Office

Microsoft released five patches today, three of which it deemed critical, including a highly exploited hole in Internet Explorer.

Thanking more than a half-dozen security researchers for pointing out
a hole in its Internet Explorer application, Microsoft released a cumulative patch it said fixes the CreateTextRange vulnerability.

First reported by Copenhangen, Denmark-based Secunia Research, said the flaw could let malicious hackers turn systems using IE
6 into “spam zombies”, as another security researcher characterized the threat.

Today’s cumulative patch “resolves several vulnerabilities in
Internet Explorer that could allow remote code execution,” according to
Microsoft. The software maker urged IE users to immediately apply the patch.

Prior to the cumulative security fix, several third-party patches were released to combat the vulnerability.

The security bulletin also includes a compatibility patch giving
enterprise customers a 60-day reprieve to test Web applications before changes to ActiveX behavior
is made permanent.

The patch affects users of IE 5.01 and IE 6 running Windows XP,
Windows Server 2003 and Windows 2003.

Two of today’s five security patches involve IE, due mainly to IE’s tight integration with other Windows components, Marc
Maifret, co-founder of eEye Digital Security, told
internetnews.com.

Maifret’s company was just one that offered a
third-party patch to fill the gap between Microsoft’s official IE fix today.

As an example of the security threat posed by IE’s integral position
in the Windows operating system, Microsoft released a second critical security bulletin involving IE’s Data Access Components (MDAC) library.

A vulnerability in the Remote Data Services portion of the library could
permit hackers to bypass the browser’s security restrictions and enable
malicious objects to be run within IE’s “Internet Zone.”

An attacker
could also gain complete remote control of a computer, including the
ability to write to a system’s hard drive, according to Microsoft.

The third critical patch resolves a newly discovered, privately reported vulnerability in Windows Explorer.

The security flaw could cause a user
to connect to a remote file server, allow remote code execution and
enable an attacker to take complete control of a system. The attack
requires a user to visit a specially crafted Web site, according to
Microsoft.

Maiffret said IE 7 will limit these vulnerabilities by creating an
opt-in atmosphere where only Web-oriented objects access IE.

Outlook Express is the subject of another security update.

The bulletin,
deemed important by Microsoft, replaces two prior security updates. The
flaw affects Outlook Express 5.5 and Outlook Express 6 on Microsoft
Windows XP, Microsoft Windows 2000 and Windows Server 2003.

The flaw involves Outlook Express’ use of a Windows Address Book
(.wab) file. An attacker could gain complete control of a system. A user
would need to be logged in with administrative privileges.

The final security bulletin addresses a “moderately severe” flaw in Microsoft
Windows, FrontPage Server Extensions and SharePoint Team Services 2002.

The patch fixes a cross-site scripting vulnerability allowing an
attacker to run a local script as a FrontPage Server user, resulting in
complete control of a FrontPage Extensions Server, according to
Microsoft.

The vulnerability requires a user to click on an e-mail’s Web
address.

News Around the Web