This article originally appeared on SearchSecurity.com.
Microsoft handed IT administrators six security updates Tuesday, three for critical flaws in Internet Explorer and services embedded in Windows. Vulnerability experts are particularly concerned about flaws in how the browser handles .jpg images and processes certain COM objects.
"This isn't the first time we've seen a .jpg problem in Internet Explorer and it's important to understand it's something attackers can remotely exploit without authenticated access," said Ivan Arce, CTO of Boston-based Core Security. "There's no easy way to verify whether or not a given .jpg image is malicious. But there are several ways to deliver a malicious .jpg image."
Critical fixes summarized
- The flaw Arce mentioned in how the browser handles .jpg images. If a user opens a malicious Web site or e-mail, attackers could exploit the security hole to take over the affected computer and launch malicious code using a specially crafted .jpg image.
- A cross-domain flaw attackers could exploit using a malicious Web page. "The malicious Web page could potentially allow remote code execution if it is viewed by a user," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction and social engineering is required to exploit this vulnerability."
- A flaw in how Internet Explorer instantiates COM objects it wasn't meant to use. An attacker could exploit this by constructing a malicious Web page that could be used to launch malicious code. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said.
While Arce is most concerned about the .jpg flaw, IT administrators should also approach the latter flaw with urgency, said Michael Sutton, director of iDefense Labs, which is part of Mountain View, Calif.-based VeriSign Inc. "This one is very similar to the JVIEW Profiler COM object [javaprxy.dll] vulnerability Microsoft patched last month," he said. "Malicious code has already targeted that vulnerability, and it wouldn't take much to develop exploit code for this one."
While Arce and Sutton urged IT administrators to download the fixes immediately, a patch management expert warned Tuesday that installation may not be so smooth this month.
Eric Schultze, chief security architect at Roseville, Minn.-based Shavlik Technologies, posted a message on the company's patch management mailing list saying that "at least two of the IE patches for MS05-038… have invalid digital signatures (XP SP2 and WS03 32-bit patches), and at least one patch is not digitally signed (IE 5.01 SP4)." Schultz offered this advice: "Right click and view properties for these patches once you've downloaded them. Select the digital signatures tab and click to view details. The GUI will then tell you if the signature is valid or not."
Schultz suspects Microsoft will repost these patches "shortly." He added, "I've tested from two separate locations on the Internet with the same results, though you're testing may vary."
The second critical bulletin addresses flaws in Plug and Play, a program that allows users to insert and remove devices like PC cards without having to configure them; connect to or disconnect from a docking station or network without restarting the computer or changing configuration parameters; and add a new monitor or USB keyboard by plugging it in and turning it on. "A remote code execution and local elevation of privilege vulnerability exists in Plug and Play that could allow an attacker… to take complete control of the affected system," Microsoft said.
This affects Windows 2000 Service Pack 4, Windows XP Service Pack 1 and Service Pack 2; Windows XP Professional x64 Edition; Windows Server 2003 and Windows Server 2003 Service Pack 1; Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems; and Windows Server 2003 x64 Edition.
The third critical bulletin fixes an unchecked buffer in the Printer Spooler service attackers could exploit to take complete control of affected machines. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said. "However, attempts to exploit this vulnerability could most likely result in a denial-of-service condition."
This affects Windows 2000 Service Pack 4, Windows XP Service Pack 1 and Service Pack 2; Windows Server 2003; and Windows Server 2003 for Itanium-based systems.
Important fixes summarized
Microsoft released one bulletin rated important, fixing a flaw in the Telephony Application Programming Interface (TAPI), which integrates telecommunications with the operating system. The software giant said attackers could exploit this to "take complete control of the affected system." Microsoft said the flaw is in the process the Telephony service uses to validate data and permissions.
The security hole appears to affect all versions of Windows.
Moderate fixes summarized
The first moderate bulletin addresses a denial-of-service vulnerability that could allow an attacker "to send a specially crafted Remote Data Protocol (RDP) message to an affected system [and] cause this system to stop responding." This affects Windows 2000 Server Service Pack 4; Windows XP Service Pack 1 and Service Pack 2; Windows XP Professional x64 Edition; Windows Server 2003 and Windows Server 2003 Service Pack 1; Windows Server 2003 for Itanium-based systems; Windows Server 2003 with SP1 for Itanium-based systems; and Windows Server 2003 x64 Edition.
The second moderate bulletin addresses two flaws:
- A denial-of-service vulnerability attackers could exploit by sending a specially crafted message to a Windows domain controller. This could cause Kerberos, the service responsible for authenticating users in an Active Directory domain, to stop responding.
- An information disclosure and spoofing vulnerability attacker could use to tamper with certain information sent from a domain controller and potentially access sensitive client network communication. "Users could believe they are accessing a trusted server when in reality they are accessing a malicious server," Microsoft said. "However, an attacker would first have to inject themselves into the middle of an authentication session between a client and a domain controller."