Print
Discuss
Send to friend
RSS feedsMicrosoft has detailed three newly discovered security flaws, two of which it rates as 'critical' because they could allow hackers to take remote control of compromised PCs.
The critical MS05-001 bug uses a handling flaw in HTML to allow malicious third parties to run arbitrary code remotely on unpatched PCs. The vulnerability exists in the HTML Help ActiveX control in Windows.
"If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft warned.
An attacker could then install programs, view, change or delete data, or create new accounts with full privileges.
Users whose accounts are configured to have fewer privileges on the system could be less affected than those who operate with administrative privileges.
The other critical flaw centres on a vulnerability in cursor and icon format handling that could also allow remote code execution.
An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, install programs, view, change or delete data, or create new accounts that have full privileges, according to Microsoft's advisory.
"A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled," Microsoft stated.
"An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious website or viewed a malicious email message."
The third vulnerability, rated as 'important', has been found in the Windows Indexing Service that could allow remote code execution on an affected system. Microsoft pointed out that Indexing Service is not enabled by default on affected systems.
A wide variety of the software giant's consumer and business operating systems are affected by the flaws including Windows 2000, XP (SP2 only patches against one of the critical vulnerabilities) and Windows Server 2003.
Microsoft's security advice can be found here.
See also:
Security Cooperation Programme backed by Canada, Chile, Norway and the US 03 Feb 2005
Open source OS 'not ready for mission-critical computing' 28 Jan 2005First Office product to be provided as a service 20 Jan 2005
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004All Bugs & Fixes
del.icio.us
Digg this
reddit!
