This week in Microsoft security

Microsoft this week focused on flaws in Remote Desktop Protocol and Internet Explorer, while an IM worm targeted MSN Messenger, along with AOL's instant-messaging service.

The flaw related to Remote Desktop Protocol, or RDP, could let an attacker remotely crash computers. The flaw previously had been linked to Windows XP, but it actually affects several versions of the operating system, Microsoft said. Windows 2000, Windows XP and Windows Server 2003 are vulnerable.

RDP enables remote access to Windows systems. But because of a flaw in the way Windows handles remote desktop requests, an attacker could crash a PC by sending a malformed remote request, Microsoft said.

Microsoft is also investigating reports that a flaw in Internet Explorer's image-rendering capabilities may allow attackers to execute code remotely. A security consultant said he has found a number of possible flaws in the way the Web browser software handles JPEG images. The consultant said one of the flaws could be exploited for remote arbitrary code execution, a type of attack generally categorized as "critical" by security vendors.

Four proof-of-concept images that aim to exploit these flaws have been posted on the Web by the consultant. Each of these has the potential to crash IE 6, the latest version of Microsoft's browser, even if it has been patched with Service Pack 2.

An IM worm is also attracting Redmond's attention. MSN Messenger and America Online's Instant Messenger services are being targeted by malicious messages containing links that could infect a computer with a Trojan horse or dangerous worm.

The threat is a Trojan called Kirvo, which arrives in the form of an instant message from someone on the user's "friends" list. The message contains a link to a Web site, which, if clicked, loads a copy of Kirvo onto the computer.

Also of note
Microsoft announced plans to buy FrontBridge Technologies, a provider of secure messaging services...The software giant has invested in security specialist Finjan Software and licensed its patents, which cover ways to protect systems against previously unknown security threats....Selected software testers are getting a look at OneCare Live, Redmond's subscription antivirus and anti-spyware service...An enhanced beta version of Microsoft AntiSpyware is available...And Microsoft is reaching out beyond English speakers with Security360, its monthly security Webcast.