Microsoft issues critical patches for IE, Windows apps

The update removes the vulnerability by modifying the way DirectShow validates the length of a message before passing it to the allocated buffer.

The third critical update patches vulnerabilities with Microsoft Distributed Transaction Coordinator (MSDTC) service and COM+ service to prevent remote control and privilege escalation by attackers. In addition, the same patch seals important, but not critical, holes in the TIP. Among the affected OS versions are Windows XP with SP1 and SP2, and multiple flavors of Windows Server 2003. "These patches resolve a number of critical client-side vulnerabilities that may be used to install malicious software or potential security risks such as spyware and adware on end-user computers," said Oliver Friedrichs, senior manager for Symantec Security Response, in a prepared statement. "Symantec recommends that users apply the updates as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via email or instant messages."

Other patches released Tuesday include:

• A fix for a moderate flaw in the Windows FTP Client that could allow file transfer location tampering. Impacted systems include Windows XP and XP with SP1; Windows Server 2003 and Server 2003 with Itanium-based systems; and Internet Explorer, with SP1 installed, running on certain Windows 2000 machines.
• A patch for a moderate vulnerability in Network Connection Manager that could allow a denial of service. Affected software includes: Microsoft Windows 2000 Service Pack 4; Microsoft Windows XP SP1 and Microsoft Windows XP SP2; and Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1.
• An "important" fix for a hole in the client service for NetWare that could allow machines to be remotely controlled. The same software as listed for the Network Connection Manager flaw is impacted by this vulnerability.
• An "important" security update for a flaw in Windows' Plug and Play that allows remote code to be executed and also allows elevated privilege. Microsoft Windows 2000 SP4, Windows XP SP1 and Windows XP SP2 specifically are included.
• Another important update to fix a flaw in Microsoft Collaboration Data Objects that could allow remote code execution.
• Vulnerabilities in Windows Shell that could allow an attacker to run remotely executed code.

This article originally appeared on SearchSecurity.com.



Tags: Microsoft Windows 2000 Server Administration,  VIEW ALL TAGS




Digg This!     StumbleUpon     Del.icio.us






RELATED CONTENT Microsoft Windows 2000 Server Administration Microsoft to cut back support for Windows 200 Server, 2003 Best tools for probing LSA Secrets area of Windows Registry Unable to view webpage inside LAN Update the entire user property sheet in Active Directory Optimize Windows virtual memory in Windows 2000 Server Active Directory for Windows 2000 and 2003: What's the difference? DNS on workgroup servers vs DNS on domain servers Mocbot update targets MS06-040 flaw Utility helps you view ActiveX component information Unregistered Microsoft Search .DLLs can cause problems Microsoft Windows 2000 Server Administration Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary