Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » New Microsoft vulnerabilities

New Microsoft vulnerabilities

by Nikola Strahija on February 8th, 2006 Late yesterday Microsoft issued two advisories with workarounds for a privilege escalation vulnerability in Windows and a new code execution hole in older versions of the Internet Explorer browser.


The IE flaw could allow an attacker to use a malicious WMF image to take complete control of a Windows PC, but Microsoft says the issue only affects IE 5.0 on Microsoft Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium.

Although the flaws sound the same, Microsoft assures its customers that this is not 'zero day vuln' all over again. -Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user, the company said in the advisory.

Microsoft also warned that an attacker could launch attacks by convincing a user to open a specially crafted e-mail attachment or click a link in an e-mail message that takes the user to a malicious Web site.

The second advisory concerns the proof-of-concept published by Princeton University researchers, which shows how ACLs (access control lists) used in Windows applications could be exploited. Microsoft said the code attempts to exploit overly permissive access controls on third-party application services and could be used to exploit default services of Windows XP Service Pack 1 and Windows Server 2003.

-These vulnerabilities could allow a malicious authenticated user to launch a privilege escalation attack. An attacker could change the default binary that is associated with the affected services. Then an attacker could stop and restart the services to run a malicious program or binary, Microsoft's advisory said.

In its advisory, Microsoft said customers running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not vulnerable to these issues because of defense-in-depth security-related changes that were made to these service packs.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »