Your Microsoft critical security patches tonight

Remote compromise and privilege evaluation flaws land on Windows, again

Thu 12 Dec 2002 // 22:47 UTC

Microsoft last night released three sets of security patches, the most important of which aims to address flaws in Microsoft Virtual Machine (VM) which it admits could enable system compromise.

The VM patch is designed to address eight vulnerabilities, the most serious of which would enable an attacker to gain control over a user's system. That's possible because of a vulnerability that means an untrusted Java applet could access COM objects.

Microsoft VM is a virtual machine for the Win32 operating environment and ships with most versions of Windows as well as in most versions of Internet Explorer, so many millions of users are potentially affected by the problem. Attack scenarios are all too familiar. To exploit the flaws an attacker would create a Web page that, when opened, exploits the desired vulnerability, and either host it or send it to a victim as an HTML mail.

No surprise then that Microsoft describes the patch (which can be found by following the link here) as critical.

Next up there's a patch for a privilege elevation flaw - a particular Windows message, called WM_TIMER. Because of this problem an attacker able to log onto a target machine could gain administrator privileges.

The issue affects Windows NT 4.0, NT 4.0 Terminal Server, Win 2K and Win XP. The big mitigating factor here is that the flaw looks far from easy to exploit, particularly because it doesn't lend itself to remote exploitation. For these reasons, Microsoft rates the flaw as important but not critical. There's more info on this problem here.

Lastly, while we're doing a bug roundup, we should mention a
"moderately severe" vulnerabilitywithin Windows Server Message Block (SMB) protocol which could enable group policy on domain controllers to be modified. Flaws in cryptographic signing implementation used by MS in SMB are the root cause of the problem. These flaws are fixed in Win XP SP1 or through a separate patch, released yesterday, which is designed to address the problem on Windows 2000 boxes.

That's all for now.

Have a nice day. ®

Topics

Special Features

Vendor Voice

Resources

Security

Your Microsoft critical security patches tonight

Remote compromise and privilege evaluation flaws land on Windows, again

Related Stories

More about

TIP US OFF

Other stories you might like

Singapore infosec boss warns China/West tech split will be bad for interoperability

Mars helicopter sends final message, but will keep collecting data

Taiwanese film studio snaps up Chinese surveillance camera specialist Dahua

Reducing the cloud security overhead

Software glitch saw Aussie casino give away millions in cash

HPE sues China's Inspur Group over server patents

Hugely expanded Section 702 surveillance powers set for US Senate vote

Snowmobile, Amazon's truck-powered migration service, reaches the end of the road

Uncle Sam earmarks $54M of CHIPS funding for small-biz semiconductor boffinry

Psst, hey. It's the NSA. You want some AI security advice?

America may end up with paid-for 5G fast lanes under net neutrality anyway

ASML ships another high NA EUV lithography machine to mystery client

About Us

Our Websites

Your Privacy