Microsoft on Tuesday warned users of new critical vulnerabilities in Windows and Internet Explorer that could enable an attacker to execute code remotely.
The warnings are the second installment
A cumulative update for IE versions 5.01, 5.5 and 6.0 warns of five new flaws in the Web browser. Another critical alert was issued for Workstation Service in Windows 2000 and XP and Front Page Server Extensions in Windows NT, 2000, XP and Windows Server 2003.
A less severe warning was issued for vulnerabilities in Excel, Word and WorksSuite.
Administrators are urged to install the critical patches immediately, Microsoft said.
The IE update is a cumulative patch that includes fixes for five newly discovered security holes. Three involve problems in the cross-domain security model that keeps browser sessions from different domains from sharing information. An attacker exploiting this hole could ultimately execute code or access files in the My Computer zone.
Another vulnerability has been found in the way zone information is passed to XML objects in IE. An attacker would be able to read files on a user's system by exploiting this flaw. A user would have to visit a malicious Web site or HTML e-mail and be prompted to download an HTML file that would exploit the flaw and allow the attacker access to files.
The final new IE flaw involves a drag-and-drop during dynamic HTML sessions in IE that would enable an attacker to save a file in a particular location without the user's knowledge or permission.
Microsoft said administrators could prompt users before running ActiveX controls and active scripting in the Internet and Intranet zones as one workaround to the IE holes. However, many sites use ActiveX for certain functionality, which would be lost if these controls are denied. Also, Web surfing could be restricted to only sites listed in IE's Trusted sites zone.
A critical buffer overrun was discovered in Windows 2000 and XP Workstation Service that could allow an attacker to execute code on a vulnerable system, cause it to crash, install programs, view or change files and create new accounts with system privileges.
Administrators can block inbound UDP ports 138, 139, 445 and TCP ports 138, 139 and 445 or disable Workstation service as a workaround. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default. Also, admins could enable advanced TCP/IP filtering on Windows 2000 and XP to block unsolicited inbound traffic.
Microsoft cautions that disabling Workstation service would prevent the system from connecting to shared file or print resources on a network and this workaround should be used only on standalone systems.
The final critical vulnerability is in FrontPage Server Extensions in Windows 2000 and XP. A buffer overrun was found in the remote debug functionality that enables users to connect to servers running the extensions and debug content. Attackers exploiting this hole would be able to run code with local privileges. FrontPage Server Extensions also contains a denial-of-service flaw in SmartHTML interpreter, a set of dynamic link library files that support dynamic Web content.
Administrators can use the IIS Lockdown Tool to disable FrontPage Server Extensions on IIS as one workaround. The Extensions can also be uninstalled.
Microsoft also released less severe warnings about flaws in Office applications, Word and Excel. Both flaws could allow remote code execution.
This article originally appeared on SearchSecurity.com.
FOR MORE INFORMATION: