January 10, 2006 1:07 PM PST

Fixes in for Windows, Microsoft e-mail flaws

Microsoft on Tuesday released fixes for two "critical" security flaws, one in Windows and another in the Outlook e-mail client and Exchange mail server.

Both vulnerabilities could allow an attacker to gain complete control over vulnerable PCs or servers running the Microsoft software, the company said in two security bulletins, released as part of its monthly patching cycle.

The Windows problem lies in the way the software processes Web fonts and affects all current versions of the operating system. A vulnerable Windows system could be compromised if the user opened an e-mail or visited a Web site containing a malicious font, Microsoft said in security bulletin MS06-002.

Outlook and Exchange are flawed in the way the applications decode certain e-mail messages, Microsoft said in security bulletin MS06-003. An attacker could craft a malicious e-mail message, and vulnerable systems would be compromised when the message is processed by Exchange or viewed by the Outlook user.

Both vulnerabilities were reported privately to Microsoft, which has not discovered any current cyberattacks that use the flaws as a conduit. Patches to repair the bugs are available via the online bulletins, and the company urges people to install those as soon as possible.

Broken Windows
Tuesday is Microsoft's first official Patch Tuesday of 2006. However, the company broke its monthly patching program last week to deliver a fix for another serious flaw in Windows. That bug, related to the way the operating system renders Windows Meta File images, is being used in exploits, experts have said.

On Monday, two new Windows image problems were reported on a popular e-mail list. Microsoft acknowledged those issues, but said they are performance problems, not security vulnerabilities.

The new Exchange and Outlook vulnerability affects all current versions of the software except Exchange 2003 with Service Pack 1 or Service Pack 2, Microsoft said. The issue is specific to the processing of mail that uses the Transport Neutral Encapsulation Format protocol, used in sending messages in Rich Text Format. For temporary protection, Exchange users could block TNEF, Microsoft suggested.

The Windows problem was discovered and reported by eEye Digital Security, and the Exchange and Outlook flaw was found by Next Generation Security Software.

4 comments

Join the conversation!
Add your comment
HA HA HA HA HA
....it must get frustrating... really.
Posted by (96 comments )
Reply Link Flag
Re: ....it must get frustrating... really.
That's all Microsoft using weenies know, techs and users alike. Viruses, spyware, patch patch patch.

A question for anyone reading this; Are all e-mail viruses considered Microsoft Outlook or Exchange viruses? Even the ones with built-in SMTP engines, they always use MS's address book, no? If the world stopped using Microsoft e-mail products, would mass viruses and e-mail born attacks become a bad memory? I believe it holds true for document viruses, only Microsoft Office has these issues. Therefore, FAIK all document macro viruses are correctly labeled as a Microsoft Office macro virus. If everyone stops using MS Office would MS Office macro viruses be history?

It seems to me Microsoft has introduced attack vectors to nearly every data and application type except text files. But it is rumoroed they are working on that one. ;)

No vendor out there is perfect but a convicted monopolist needs to be held accountable for its actions. If I was the judge, jury and executioner Bill Gates would be doing a few years of time behind bars.

--ABM
www.anythingbutmicrosoft.org
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
'Bill' is not MSFT
"If the world stopped using Microsoft e-mail products, would mass viruses and e-mail born attacks become a bad memory?"

Unfortunately, no. We'd still have MS-Office macro viruses, and worms that exploit sloppily written PHP programs, and IE exploits. And some blame belongs to the snake oil salesmen who sell phony security-in-a-box. Security is a discipline, not a product.

"Bill Gates" is not the Microsoft Corporation. Conflating the two serves MSFT's propaganda effort. He's just a nerdy guy being bullied by that mean old Justice Department, you can feel sorry for him. If you mean Microsoft, please say MSFT, not "Bill." I agree he should be in prison, but I'd much prefer to see MSFT broken in at least three pieces (OS, apps, media) that aren't allowed to talk to each other in private.
Posted by clsgis (41 comments )
Link Flag
What is a FIX?
MS Exchange, MS Outlook and MS IE have always had flaws. And regardless of how much they patch... those same programs continue to have flaws.

Regardless of Microsoft's stance to increase the security in their applications... they've had more than enough time to prove whether they're worthy of doing that or not.

This article for one (out of millions of others) only goes to prove how false their security beef-up policy is.

They need to learn that YOU PATCH WHEN a VULNERABILITY IS FOUND!!! Not wait until it's exploited or until the next monthly patch... YOU PATCH IT ASAP!!!

Everybody else in the industry does that. Microsoft is the only exception otherwise.

And out of all the time they've had to get with it... they're still running WAY behind schedule which only proves that they can't keep up with the vulnerabilities AS They're Announced.

CRITICAL flaws are recommended to be patched within 24 hours... 72 hours latest... not held off until next month's security release!

But Microsoft has proven time and again... that they won't follow those common sense rules. It only goes to prove their ignorance of the matter and that their security statement means notta!!!

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.