Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft patches critical bugs in IE and Windows

Microsoft patches critical bugs in IE and Windows

by Nikola Strahija on June 17th, 2005 Microsoft has released ten security patches on Tuesday, including three deemed "critical". These critical patches repair flaws in Windows and Internet Explorer that could allow attackers to take complete control of a computer.


The bug in Internet Explorer could theoretically allow Web pages with malicious code stored in the form of PNG (Portable Network Graphics) graphics files to gain control of a user's system. Microsoft also found a similarly critical bug in the Windows HTML Help system, as well as a flaw in Microsoft's SMB (sever message block) file sharing protocol.

-There is the potential for an attacker to somehow create an automated attack that could result in some sort of virus or worm, said Stephen Toulouse, security program manage with Microsoft's Security Response Center.

All three of the critical flaws were generally unknown before Tuesday, and they affect all supported versions of Windows, Toulouse said. Attackers have yet exploited none of the ten bugs that were reported and patched, he added.

Moderate vulnerabilities were reported in Microsoft Agent, Telnet Client, and ISA Server 2000, Microsoft said.

Microsoft also re-released three patches, numbered MS05-019, MS02-035 and MS05-004. Some of these patches were re-released because they had stopped certain applications from running on Windows, Microsoft said.

Though it only deemed a moderate rating, the Microsoft Agent bug is serious because it could allow attackers to gain control over pop-up messages on a user's desktop, said Russ Cooper, senior scientist at Cybertrust and editor of the NTBugtraq discussion list.

If exploited, the Agent bug could trick users into downloading malicious code, by intercepting or spoofing the computer's pop-up security warnings, Cooper said. For example, it could turn an Internet Explorer security warning into a message that said, "I have now verified that this is, in fact, your bank," he argued.

The vulnerability was rated moderate because Agent is not always automatically enabled and because the vulnerability does not directly allow an attacker to gain control of the system, according to Toulouse.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »