Desktop platforms Toolkit

Major Windows flaw patched

Dawn Kawamoto CNET News.com

Published: 11 May 2005 09:35 BST

Microsoft on Tuesday issued an "important" Windows security fix as part of its monthly patch cycle, tackling a script injection vulnerability that could allow an attacker to take over a PC.

The software giant also published two early alerts as part of its new pilot programme, Microsoft Security Advisories, which confirms reports of flaws and provides workarounds until it can send out a patch.

The monthly security bulletin addresses a vulnerability found in Windows 2000 Service Pack 3 and 4, which the company ranks as "important", its second-highest severity rating. The flaw also appears in the older Windows 98, Windows 98 Second Edition and Windows Millennium Edition.

"A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields," Microsoft said in its bulletin. "By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged-on user."

That attacker could install programs and view, change or delete data, or create new accounts with full user rights, Microsoft said.

Security company Symantec has rated the risk from the flaw as "medium", noting that some user interaction is required for it to be used for an attack. For example, the PC user would have to download a corrupt document or save the document from an email attachment, then browse to the document using Windows Explorer.

"It would be fairly easy for an attacker to create a malicious document that could compromise a system and circulate this document through email or websites," Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement on Tuesday. "In order to combat this new and other security risks, users should always avoid opening files from unknown sources or following links to unverified sites. In addition, all users should deploy Internet security solutions such as antivirus software and firewall technology."

More recent versions of the operating system are not affected by the flaw. Microsoft said it has tested Windows XP Service Pack 1 and 2, Windows XP 64-bit Edition Service Pack 1 and Version 2003 for Itanium, XP Professional x64 Edition, Windows Server 2003 and its Service Pack 1, Windows Server 2003 for Itanium-based systems and its related Service Pack 1 for the vulnerability.

Microsoft is urging people with Windows 2000 SP3 and SP4 to download the security update. For the older versions, Microsoft noted on its Web site that it does not offer security patches to older versions of its software that it no longer supports, unless the vulnerability is rated "critical". The software giant did not offer any workarounds.

A Microsoft representative referred questions regarding what actions Windows 98 users should take to the company's Microsoft Lifecycle Support site. Big dollars in little devices

The software giant also released two security advisories of problems that do not necessarily require a patch from Microsoft. One notes a default setting in Windows Media Player Digital Rights Management could allow a user to open a Web page without requesting permission.

The second is a clarification of Microsoft's SMTP Tar Pit feature in Windows Server 2003 Service Pack 1 for Exchange Server 2003.

"Microsoft does not require or recommend that all customers implement this (Tar Pit) feature. It has been provided as an option for reducing the effectiveness of certain attacks that utilise standard features of the simple mail transfer protocol," the advisory notes.