News

Microsoft Patches 4 Critical Windows Vulnerabilities

As expected, Microsoft Corp. today published five new security bulletins that patch vulnerabilities in its Windows and Microsoft Content Management Server products.

As expected, Microsoft Corp. today published five new security bulletins that patch vulnerabilities in its Windows and Microsoft Content Management Server products.

Microsoft's Tuesday patch haul includes fixes for four "critical" and one "important" vulnerability -- on top of the critical GDI patch Redmond released just last week.

All four of the "critical" security bulletins patch flaws that, if exploited, could result in Remote Code Execution attacks. They include fixes for vulnerabilities in:

This month's sole "important" update fixes a flaw in the Windows kernel that could result in an Elevation of Privilege attack.

The Windows CMS bulletin linked above actually addresses two vulnerabilities: a Memory Corruption vulnerability and a Cross-Site Scripting and Spoofing vulnerability, the latter of which can result in information disclosure or spoofing, Microsoft confirmed. The former flaw -- which can be exploited by means of a malicious HTTP request -- is the more serious of the two; it's the one that, if exploited, could result in a Remote Code Execution attack. This vulnerability had not previously been disclosed, and no known exploit or proof-of-concept code exists.

The Universal Plug and Play (UPnP) vulnerability affects only Windows XP systems (including SP2 and x64 versions), Microsoft said. Windows 2000 SP4, as well as any of the available flavors of Windows Server 2003 and Windows Vista, are not affected. This vulnerability had not previously been disclosed, and no known exploit or proof-of-concept code exists.

The Microsoft Agent flaw takes the form of an URL Parsing vulnerability. Microsoft gives it a "critical" rating on Windows 2000 SP4 and Windows XP SP2 (x86 versions only) and a "moderate" rating on Windows XP Professional x64, Windows Server 2003 (all versions). Windows Vista is not affected by the vulnerability, Microsoft says.

The CSRSS bulletin also addresses multiple vulnerabilities, including a MsgBox Remote Code Execution vulnerability (the most serious of the three), a CSRSS Local Elevation of Privilege vulnerability and a CSRSS DoS vulnerability.

This critical bulletin affects all supported versions of Windows, including Windows Vista. The CSRSS MsgBox vulnerability stems from a flaw in the way in which Microsoft's CSRSS implementation processes error messages. An attacker would have to craft a malicious Web page or application in order to exploit the vulnerability, according to Microsoft. This vulnerability had been publicly disclosed, according to Microsoft; the security community at large dubs it "Vista Memory Corruption Zero-Day" -- although, to date, to there's no evidence of any exploit activity. Microsoft's Patch Tuesday release addresses this flaw as well as the other aforementioned vulnerabilities.

The "important" Kernel Elevation of Privilege vulnerability affects all versions of Windows except Vista. Today's patch for this flaw -- resulting from incorrect permissions on a mapped memory segment -- replaces a prior update for Windows 2000 Server SP4, Microsoft said.

Microsoft also released several non-security updates for its Windows Malicious Software Removal Tool, Windows Server Update Services (WSUS), Microsoft Update and Software Update Service.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.