MS releases unholy trinity of security fixes

IE flaws du jour - and more

Microsoft yesterday released another cumulative fix for Internet Explorer designed to address all the old flaws with the Swiss cheese browser and fix a set of fresh problems.

Separately, Redmond also issued patches to correct less serious vulnerabilities with a ubiquitous Windows middleware package and a revision of a July advisory on a serious vulnerability involving MIDI files.

The new IE flaws could enable an attacker to run arbitrary code on a user's system if the user either visited a hostile Web site or opened a specially crafted HTML-based email message.

No surprise that Redmond designates the fix as "critical" then.

The first new vulnerability arises because IE does not properly determine an object type returned from a Web server.

Microsoft warns: "It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action." (our emphasis).

"An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability," it adds.

As if that wasn't enough there's a second (slightly less serious) new flaw involving the cross-domain security model of Internet Explorer. This security model is designed to keep windows of different domains from sharing information. However, it's at least partially broken so that crackers might be able to execute script in the My Computer zone.

Not good.

Microsoft advises users to IE 5.01, IE 5.5 IE 6.0 and IE 6.0 for Windows Server 2003 to review its cumulative patch which fixes these new flaws, as well as providing a roll-up of previously released fixes for IE.

Kill Bit!
This cumulative patch also sets the Kill Bit on the BR549.DLL ActiveX control which provided support for the Windows Reporting Tool. Internet Explorer no longer supports this control, which is just as well because it contains security vulnerability. To protect customers who have this control installed, the patch prevents the control from running or from being reintroduced onto users' systems.

In addition to these vulnerabilities, a change has been made to the way IE renders HTML files. This change addresses a flaw that could cause the browser or Outlook Express to fail. Internet Explorer does not properly render an input type tag. A user visiting an attacker's Web site could allow the attacker to exploit the vulnerability by viewing the site. In addition, an attacker could craft a specially formed HTML-based email that could cause Outlook Express to fail when the email was opened or previewed.

The root causes if these problems - buffer overflows and coding mistakes - will be all to familiar to long suffering IE users. Microsoft's pleas of mitigation also carry a familiar ring. Microsoft points out, by default, IE 6 on Win 2003 runs in enhanced security configuration. Also to execute these flaws a cracker would have to entice victims to visit a maliciously constructed website - as if spam HTML email doesn't make this all too easy.

Microsoft's advisory explains these various flaws in IE in far greater detail.

And there's more

Redmond also yesterday issued a fix to correct a less serious buffer overflow risk involving Microsoft Data Access Components (MDAC), a collection of components that are used to provide database connectivity on Windows platforms.

By default, MDAC is included by default as part of Windows XP, Windows 2000, Windows ME and Windows Server 2003. Microsoft Data Access Components versions 2.5, 2.6 and 2.7 are potentially vulnerable. MDAC version 2.8 - as used by Windows Server 2003 - is not.

MDAC is included in the Windows NT 4.0 Option Pack and in Microsoft SQL Server 2000. Additionally, some MDAC components are present as part of IE even when MDAC itself is not installed.

Due to a flaw in a specific MDAC component, an attacker could respond to broadcast requests with a specially crafted packet that could cause a buffer overflow.

An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application that initiated the broadcast request.

Microsoft reckons for an attack to be successful an attacker would need to simulate a SQL server on the same subnet as the target system. Because of the difficulty of exploitation Microsoft designates the flaw as important and not critical. There's more info in an advisory here.

MIDI Vuln reloaded

Lastly, Microsoft reissued an advisory regarding a critical vulnerability with its DirectX component, originally issued in July, to announce the ability of the availability of patches for a greater range of DirectX packages. The vulnerability, which arises because of an unchecked buffer in DirectX, could allow crackers to inject malicious code on vulnerable machines via maliciously constructed MIDI audio files hosted on a Web site or on a network share, or sent using an HTML-based e-mail. Our July report goes into this in more depth.

A list of affected packages and available fixes (too extensive to detail here) can be found in Microsoft's advisory here. ®

Related Stories

Post Blaster, MS floats default auto updates for Windows
WindowsUpdate on Linux - an urban legend is born
MS fixes WinNT patch RAS knock-out glitch
MS alerts users to Windows DirectX vulnerability
IE bugs keep coming
Wakey, Wakey it's Patching Day. Again
If it's Thursday it must be IE patching day
MS IE patch misses the mark
MS releases grand daughter of all IE security patches

Sponsored: Fast IT with Cisco UCS Integrated Infrastructure