July 9, 2003 11:51 AM PDT
Microsoft patches holes in Windows
The most serious of the flaws is what is known as a buffer overrun vulnerability, which could allow an attacker to use an unchecked buffer to run their own executable code.
This flaw, located in the HTML converter in Microsoft's Windows operating system, could be used by hackers to spread the code either by sending an HTML e-mail or by creating a special Web page that triggers a download of the code.
Because the security hole can be exploited without any action on the part of the user, Microsoft described it as critical, the highest rating in the software maker's four-level system.
The vulnerability exists in many recent versions of Windows, including Windows XP, Windows 2000, Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 Server and Windows Server 2003. However, the flaw is only rated moderate for Windows Server 2003, because that software ships with a setting known as Enhanced Security Configuration designed to minimize the risk of unauthorized code being launched.
Microsoft posted a patch for the vulnerability on its Web site.
"We certainly want everyone to apply the patch in order to protect their computers," Microsoft Security Response Center's Stephen Toulouse said.
Toulouse said the company learned of the flaw after it was posted to several security mailing lists last month.
"We are disappointed that the finder chose not to bring that directly to us," Toulouse said. "As soon as we were made aware of that, we began our program to develop a fix as fast as we could."
The other Microsoft bulletins deal with two flaws rated as "important." The first of these deals with another buffer overrun problem in Windows NT, Windows 2000 Server and Windows XP. The vulnerability is related to the Server Message Block (SMB) protocol used by the operating system to share files and printers, among other things.
The last of the warnings deals with a flaw within Windows 2000's utility manager that could allow a user to elevate their system privileges.
The alerts are the latest in a string of periodic bulletins from Microsoft and are its 23rd, 24th and 25th such warnings of the year. Last month the company issued fixes for two security holes in its media software. In May, Microsoft warned of vulnerabilities in its Internet Information Services (IIS) software.