Computerworld - Microsoft Corp. today issued its first monthly security update since announcing the new initiative last week (see story).
The update consists of five Windows vulnerabilities, four of which the company deemed "critical."
Three of the flaws affect all recent Microsoft operating systems, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. The fourth critical flaw affects only Windows 2000.
Microsoft also released a security bulletin summary that details two Exchange Server vulnerabilities, one of which it called "critical." It also released patches for those flaws.
As for the Windows vulnerabilities, security bulletin MS03-041, there is a vulnerability in Authenticode that, under certain low-memory conditions, could allow an ActiveX control to download and install without asking the user for approval to do so. An attacker could host a malicious Web site designed to exploit this vulnerability, Microsoft said.
According to security bulletin MS03-042, a vulnerability exists in the Microsoft Local Troubleshooter ActiveX control (Tshoot.ocx), which could allow a buffer overflow that would let an attacker run malicious code on a user's system.
According to security bulletin MS03-043, a flaw in the operating system's Messenger Service could allow arbitrary code to be executed on an affected system. The vulnerability results because the Messenger Service doesn't properly validate the length of a message before passing it on to the allocated buffer.
According to security bulletin MS03-044, a flaw exists in the Help and Support Center function that ships with Windows XP and Windows Server 2003. The vulnerability can arise when a file associated with the Human Communications Protocol contains an unchecked buffer.
An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, could execute malicious code.
The fifth Windows vulnerability, which was listed by Microsoft in Security Bulletin MS03-045 as "important," affects Windows NT, Windows 2000, Windows XP and Windows Server 2003 and could give an attacker "complete control over the system by using Utility Manager in Windows 2000."
According to security bulletin MS03-046, a flaw exists in the Internet Mail Service that could allow an attacker to connect to the SMTP port on an Exchange server and issue a memory allocation command that could shut down the Internet Mail Service or cause the server to stop responding. That flaw affects Microsoft Exchange Server 5.5, Service Pack 4 and Microsoft Exchange 2000 Server, Service Pack 3.
And, according to security bulletin MS03-047 a cross-site scripting (XSS) flaw in Microsoft Exchange Server 5.5, Service Pack 4, involves the way Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form.
Microsoft labeled that a "moderate" vulnerability.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
