Microsoft Warns on Windows, IE Flaws

Microsoft is warning Windows and Internet Explorer users to take steps
to prevent two security exploits. The two advisories affect
Microsoft Windows Millennium and Internet Explorer 5.

Users of Internet Explorer 5.0 and Internet Explorer 5.5 on Windows
Millennium Edition and Windows 2000 face possible attacks from misuse of
Windows Metafile graphic images to take control of computers.

According to the advisory, this vulnerability could allow an attacker to execute
arbitrary code on the user’s system.

Still
bruised by previous WMF security flaws, the Redmond, Wash.-based
Microsoft emphasized the current WMF exploit is different from the
problem patched last month.

Unlike last month’s spyware concerns, this flaw requires some action by
users, such as opening an e-mail attachment or clicking a link that
takes them to a malicious Web site. The immediate cure: installing
Internet Explorer 6 Service Pack 1.

Microsoft also is addressing security trouble permitting a privilege
security vulnerability created by some third-party software.

The flaw,
first reported to the Redmond software giant by two Princeton University
researchers, could allow access controls to be changed, permitting
someone with low security to issue commands normally reserved for the
computer’s owner.

The problem is present in Windows XP or Windows Server
2003 computers that have not upgraded to the latest service packs.
Alternately, permissions for the four affected default Windows XP and
Windows Server 2003 components can manually be set.

Microsoft is not aware of any attacks employing the Princeton
“proof-of-concept” security concern, according to the software maker.

Two of the four Windows services would need to be run while in
privileged mode, while others are vulnerable when operated in Windows XP
Service Pack 1, according to the company’s advisory.

Microsoft’s next patch Tuesday is Feb. 14

News Around the Web