Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft issues patches for five software flaws

From: InfoSec News <isn () c4i org>
Date: Thu, 16 Oct 2003 01:24:02 -0500 (CDT)
http://www.nwfusion.com/news/2003/1020mssec.html

By Linda Rosencrance
Computerworld
10/15/03

Microsoft Wednesday issued its first monthly security update since 
announcing the new initiative last week. 

The update consists of five Windows vulnerabilities, four of which the 
company deemed "critical."

Three of the flaws affect all recent Microsoft operating systems, 
including Windows NT, Windows 2000, Windows XP and Windows Server 
2003. The fourth critical flaw affects only Windows 2000. 

According to security bulletin MS03-041, there is a vulnerability in 
Authenticode that, under certain low-memory conditions, could allow an 
ActiveX control to download and install without asking the user for 
approval to do so. An attacker could host a malicious Web site 
designed to exploit this vulnerability, Microsoft said. 

According to security bulletin MS03-042, a vulnerability exists in the 
Microsoft Local Troubleshooter ActiveX control (Tshoot.ocx), which 
could allow a buffer overflow that would let an attacker run malicious 
code on a user's system. 

According to security bulletin MS03-043, a flaw in the operating 
system's Messenger Service could allow arbitrary code to be executed 
on an affected system. The vulnerability results because the Messenger 
Service doesn't properly validate the length of a message before 
passing it on to the allocated buffer. 

According to security bulletin MS03-044, a flaw exists in the Help and 
Support Center function that ships with Windows XP and Windows Server 
2003. The vulnerability can arise when a file associated with the 
Human Communications Protocol contains an unchecked buffer. 

An attacker could exploit the vulnerability by constructing a URL 
that, when clicked on by the user, could execute malicious code. 

The fifth vulnerability, which was listed by Microsoft in Security 
Bulletin MS03-045 as "important," affects Windows NT, Windows 2000, 
Windows XP and Windows Server 2003 and could give an attacker 
"complete control over the system by using Utility Manager in Windows 
2000." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: