New critical flaws in Microsoft
Windows have sent
security experts scrambling to warn users of the ubiquitous operating
Numerous security vendors, including
Secunia, issued warnings
about the flaws after Chinese security group Xfocus
first reported them last week.
But as of Monday, Microsoft had not provided patches for the flaws.
Xfocus found that a buffer overflow exists in the LoadImage API of the
USER32 Lib, enabling attackers to write and send a custom file within an
HTML page or in an e-mail that would allow them to run arbitrary code on a
XFocus also reported a hole in winhlp32.exe, the Windows .hlp file parsing program.
The vulnerability is forged from a decoding error within the
.hlp header. A perpetrator can exploit the flaw by triggering a heap-based
Both the LoadImage and .hlp overflows may affect Windows NT, Windows 2000
SP0, SP1, SP2, SP3, SP4, Windows XP SP0, XP SP1 and Windows 2003. But the
winhlp32.exe bug is more inclusive, affecting Windows XP SP2, as well.
Overflow flaws occur when a computer’s memory is exceeded. This makes it
possible for attackers to run their own code on a PC. Overflows are some of
the most common exploits in the Redmond, Wash., software giant’s operating
While Microsoft hasn’t acknowledged the bugs publicly, security firm
Symantec suggested users set virus definitions to include the
Bloodhound.Exploit.19 signature, preventing the LoadImage overflow. A .hlp
overflow can be avoided if users block e-mail attachments with an .hlp
extension and avoid sites or e-mail messages of questionable origin.
In other Microsoft flaw news, Xfocus said a malicious intruder can use a bug
in Windows’ animated cursor files (ANI) to crash or virtually seize a PC.
Like the LoadImage overflow, this Windows Kernel ANI File Parsing Crash and
DoS Vulnerability affects Windows NT, Windows 2000 SP0, SP1, SP2, SP3, SP4,
Windows XP SP0, XP SP1 and Windows 2003.
Symantec today warned of Phel.A,
a Trojan horse that affects Windows XP SP2. The flaw distributes as an HTML file
that attempts to exploit a flaw in IE. The Trojan
may be stymied with virus definitions from Symantec, found here.