Microsoft’s ‘Critical’ Patches Include IE Fix

Microsoft released its October batch of security advisories
Tuesday with a slew of “critical” patches, including a
monster fix for the Internet Explorer browser.

In all, the software giant issued 10 advisories, seven rated
“critical” and three with the lower “important” rating.

In addition, Microsoft re-released the MS04-028
bulletin to correct newly discovered issues for customers running
Windows XP Service Pack 2 (SP2). The updated MS04-028 advisory covers
JPEG Parsing (GDI+) in Windows, Office and other graphics programs, and
comes at a time when active exploits
are already making the rounds.

The most notable fix released Tuesday (download MS04-038)
covers known holes in the IE browser, and Microsoft warned
that active exploits are already targeting Windows users. The
cumulative IE patch includes a fix for a CSS Heap Memory Corruption flaw
that could allow remote code execution; a name redirection flaw that
would give an attacker access to a susceptible PC and a drag-and-drop
vulnerability that gives malicious hackers complete control of an
affected system.

Information on the drag-and-drop weakness, which affects IE versions
5.01, 5.5 and 6.0 on Microsoft Windows XP SP1 or SP2, has been available
for nearly two months.

The IE patch also includes a fix for an Install Engine vulnerability;
two separate flaws that could lead to address bar spoofing; an SSL
caching weakness; and a privilege elevation vulnerability in the way IE
processes scripts in image tags.

Microsoft issued another critical alert (download MS04-034)
to plug a remote code execution bug in the way
that Windows processes Compressed (zipped) Folders. Microsoft warned
that a successful exploit could let an attacker take complete control of
an affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts with full privileges.

Windows Server 2003 SMTP Component

The company also released a fix download MS04-035)
for a code execution flaw in the way the Windows Server
2003 SMTP component handles Domain Name System (DNS) lookups.

“An attacker could exploit the vulnerability by causing the server to
process a particular DNS response that could potentially allow remote
code execution. An attacker who successfully exploited this
vulnerability could take complete control of an affected system,”
Microsoft warned.

The “critical” SMTP bug also exists in the Microsoft Exchange Server
2003 Routing Engine component when installed on Microsoft Windows 2000
Service Pack 3 or on Microsoft Windows 2000 Service Pack 4.

A separate patch with a “critical” rating download MS04-036)
was also issued for a remote code execution vulnerability,
the Network News Transfer Protocol (NNTP) component used in Microsoft
Windows or Microsoft Exchange Server.

Microsoft said the NNTP hole could allow an attacker to construct a
malicious request to launch harmful code and take over a user’s PC.

Download MS04-037
was also released to cover two holes in Windows Shell that
could lead to harmful code execution. It corrects the way that the
Windows Shell starts applications, and it corrects a bug in the way specially crafted
requests are handled in the Program Group Converter.

The company’s Office Excel product suite was also patched to protect
against a remote
code execution vulnerability. Affected users can find the MS04-033 advisory here.

Windows Kernel Flaw

Another “critical” released Tuesday covers a remote execution code
vulnerability in all versions of Windows NT 4.0, Windows 2000, Windows
XP and Windows Server 2003. The patch corrects four flaws and replaces
existing patches to window management, virtual DOS machine, Windows
kernel and graphics rendering engine vulnerabilities released earlier by

The virtual DOS machine and window management breaches are both
privilege elevation vulnerabilities, meaning attackers could gain
administrative rights to an entire group of computers in the network. From
there, they could add new users, delete others, install
software or delete files in the network. The graphics engine
vulnerability is a remote code execution flaw that attacks through
Windows metafile and enhanced metafile images, and gives the cracker
complete control of the system.

The kernel flaw allows the malicious code to launch a Denial-of-Service
attack on the system’s resources, causing the machine to stop
responding. A fix for the four flaws, broken down by operating system
type, can be downloaded here.

Microsoft had to restrict some of the functionality in the Internet
standard Web-based Distributed Authoring and Versioning (WebDAV)
requests to plug a vulnerability that allowed malware to consume all
available memory and CPU time on an affected server, according to the
company’s alert.

Security officials discovered that WebDAV — a set of extensions
in HTTP (an Internet standard with the IETF) for file collaboration
on remote servers — doesn’t put a limit on the number of attributes
that can be passed to the server, thus allowing the malicious coder room
to execute a DoS attack.

Microsoft officials imposed new limits on WebDAV, which will cause
previously valid requests to fail. The vulnerability affects Internet
Information Services 5.0/5.1/6.0 users and several versions of Windows
XP/2000/2003. Users can download the patch here.

Microsoft also fixed a separate code execution flaw in its
venerable Network Dynamic Data Exchange (NetDDE), which allows two
computers to talk to each other. NetDDE, which is used with Microsoft
Chat, Microsoft Hearts and, in some cases, Excel, could cede total
control to the attacker, the company warned. It’s not considered a
critical vulnerability because NetDDE has to be running before the attacker can take advantage
of the flaw.

The vulnerability affects versions of Windows XP/NT Server 4.0 and
Windows 98/98 SE/ME. Windows XP users with Service Pack 2 are not
affected by the vulnerability. Users can download the patches here.

Another important security patch released Tuesday plugs a flaw found
in the Remote Procedure Call (RPC) run-time library, a protocol that
allows a program on one system to access services on another machine.
Malware capitalizing on this flaw can either launch a DoS attack or read
portions of active memory on the user’s machine.

The patch, which applies to Service Pack 6 for Windows NT Server 4.0
and 4.0 Terminal Server Edition, allows the RPC Runtime Library to
validate message length before it’s released to the buffer. Users can
download the patch here.

News Around the Web