Advertisement
Promo

Desktop platforms Toolkit

August Windows patches arrive

Joris Evers CNET News

Published: 10 Aug 2005 09:10 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft has issued alerts on several security flaws in Windows, the most serious of which could allow an attacker to gain control over a computer.

The software maker released six security bulletins on Tuesday as part of its monthly patching cycle, describing three of them as "critical". Microsoft gives that rating to any security issue that could allow an Internet worm to spread without any action required on the part of the user.

One bulletin addresses three vulnerabilities in the Internet Explorer (IE), Microsoft's Web browser. These issues carry the highest risk of attack out of all the issues fixed, Oliver Friedrichs, a senior manager at Symantec Security Response, said.

Two other flaws, affecting the plug-and-play feature and printing in Windows, could also spell some trouble for users, he said.

An error in the way IE handles JPEG images is especially alarming, as previously reported. An attacker could commandeer a PC by crafting a malicious image and tricking the victim to look at it on a Web site or in an HTML email, for example, Microsoft said in its MS05-038 security bulletin.

"These vulnerabilities can be leveraged by malicious Web sites to install spyware, Trojan horses, bots or other programs on an unsuspecting user's machine," Friedrichs said.

The other two IE flaws could also enable an attacker to take control of a user's computer. One vulnerability lies in how the browser handles URLs, related to a feature that lets users view file folders in IE. The other deals with the ability of IE to call on other parts of Windows and is similar to a problem patched last month.

While the IE issues affect all currently supported versions of the browser and Windows, Microsoft's two other "critical" security bulletins have a more limited scope. These aren't as far-reaching within Microsoft's more recent operating system products.

A flaw in the plug-and-play feature in Windows could allow an anonymous attacker to remotely access and control Windows 2000 systems, Microsoft said in security bulletin MS05-039. However, such an attack is not possible on computers running Windows XP with Service Pack 2 and Windows Server 2003, the company said.

Also, a bug in the Windows print spooling service could let an intruder gain access to machines running Windows 2000 and Windows XP with Service Pack 1. The same attack on systems running Windows XP SP2 and Windows Server 2003 would only cause a crash, according to Microsoft's MS05-043 bulletin.

All current versions of Microsoft's operating system are vulnerable to a problem with a Windows component that supports telecommunication, Microsoft said in its MS05-040 bulletin, rated "important". However, it primarily affects servers configured as telephony servers, the company said. An attacker could commandeer such a system by sending it a specially crafted request.

The two remaining bulletins are rated "moderate". One fixes a previously known security flaw that, using a problem in the Remote Desktop Protocol (RDP), could let a hacker remotely crash computers running Windows. The other relates to Microsoft's implementation of the Kerberos authentication protocol.

RDP is a protocol that enables remote access to Windows systems. Because of a flaw in the way Windows handles remote desktop requests, an attacker could crash a PC by sending a malformed remote request, Microsoft said in bulletin MS05-041.

The Kerberos problem affects only Windows 2000 and Windows Server 2003 systems used as domain controllers. A specially crafted message sent to a system could cause it to crash, Microsoft said.

Another flaw related to Kerberos could let an attacker spoof a domain controller and potentially access a network, but can't be exploited by anonymous users, Microsoft said in bulletin MS05-042.

Microsoft urges its customers to apply the patches as soon as possible. Users of Automatic Updates in Windows will get the patches automatically. Microsoft is not aware of any current attacks that take advantage of the problems patched in the bulletins.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
110 out of 166 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

2 comments

  1. The website is OK yes just OK ! What about people... Anonymous
  2. The Zotob worm only affects certain Windows 2000 s... Alex Coby

Related Links

More In Desktop platforms


Company/Topic Alerts

Create a new alert from the list below:







Video icon

Video

Microsoft Windows 7 Special Report Special Report

How Microsoft can make Windows 7 a success

How Microsoft can make Windows 7 a success

Comment Many businesses have given Vista a wide berth; Microsoft must focus on five areas to make sure Windows 7 doesn't suffer the same fate, argues TechRepublic's Jason Hiner

News Microsoft: Many Windows 7 features can be disabled

Leader Windows 7 — as good as it gets

More Special Reports

Desktop Management Benchmarking

Test Your Desktop Management Systems

How good are your company's desktop management solutions? How do they compare with those of your peers?

Take two minutes to complete our new Desktop Management and Energy Consumption benchmark, and find out what issues your business needs to focus on.


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters