Microsoft security: Four flaws uncovered

NEWS Microsoft has issued four security bulletins overnight, relating to its Windows operating system and SQL Server database software. Microsoft said the first new flaw discovered exploits a problem with ActiveX, the Microsoft technology that lets programs interact with websites and applications. The flaw could allow a buffer overrun, "which could be exploited by a Web page hosted on an attacker's site or sent to a user as an HTML mail," according to the security alert. A successful exploit would allow the hacker "to run code in the security context of the user, thereby gaining the same privileges as the user on the system." A second help file bug affects shortcuts used to find HTML help files. Normally, only help files "trusted" by the operating system would be able to take advantage of the shortcuts. "Two flaws allow this restriction to be bypassed," according to the security alert. "First, the HTML help facility incorrectly determines the Security Zone in the case where a web page or HTML mail delivers a .chm file to the Temporary Internet Files folder and subsequently opens it." The second attack, which would be more difficult to execute, involves HTML email contacting a .chm file and shortcut. Once open, Microsoft said, "the shortcut would be able to perform any action the user had privileges to perform on the system." Microsoft rated the ActiveX exploit as critical for desktop operating systems but moderate for internet and intranet servers. The help file exploit is moderate for desktop Windows and low for internet and intranet servers. Patches are available for 98 and 98 SE, XP, NT 4, NT 4 Terminal Edition and 2000. The Windows ME patch must be retrieved using the Windows Update feature. A second alert addressed two vulnerabilities related to compressed, or .zip, files. The problem affects Windows 98 versions with the "Plus! Pack" installed, as well as Windows ME and Windows XP. The first problem creates an unchecked buffer overrun when certain files are decompressed. "A specially malformed file name contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker's choice being run," the security alert warned. The flaw could allow a hacker to place a decompressed file in a file directory other than the one intended. The hacker could, for example, place another malicious program in the Windows startup folder, which would execute when the computer reboots. Patches are available for 98 and XP. The Windows ME patch must be retrieved using Windows Update. Microsoft rated the security exploits as moderate for desktop operating systems and low for internet and intranet servers. The third security alert addressed problems that could affect many third-party software applications. The three vulnerabilities, which affect Windows NT 4, 2000 and XP, could result in denial-of-service attacks or allow hackers to run malicious code. Microsoft provides developers with tools for making it possible for Windows systems to interoperate with Unix operating systems, such as Sun Microsystems' Solaris. Microsoft uncovered three flaws affecting the Sun RPC (Remote Procedure Call) library in Microsoft's Services for UNIX (SFU) 3.0. Developers "need to evaluate three vulnerabilities," the security bulletin warned. The fourth security warning alerted customers to the availability of a cumulative patch for four separate, newly discovered flaws involving SQL Server 7 and SQL Server 2000. One buffer overrun exploit could allow for a malicious login and access to other key systems. "It would not be necessary for the user to successfully authenticate to the server or to be able to issue direct commands to it in order to exploit the vulnerability," the security alert warned. The second flaw, also a buffer overrun, affects the Database Console Commands that, if exploited, could give a hacker "complete control over all databases on the server." Microsoft deemed these and two other exploits, one involving system privileges, as critical. Patches are available for SQL Server 7 and SQL Server 2000. Joe Wilcox writes for News.com