Patch Tuesday Brings Fixes for 2 Critical Security Flaws
- By Scott Bekker
- July 13, 2004
Microsoft patched two critical flaws in its software in a batch of seven security bulletins released today as part of the company's monthly "Patch Tuesday." Each of the two critical flaws could allow an attacker to take complete control of a Windows computer over the Internet.
In all, eight flaws are fixed in the seven bulletins, the 18th through 24th bulletins Microsoft has released this year.
The seven bulletins follow one other critical update released earlier this month that made a configuration change to Internet Explorer. That registry change is designed to protect IE users from the vulnerabilities underlying the Download.ject attack. Microsoft continues to work on an actual patch to protect Internet Explorer from future attacks exploiting the underlying problem.
One of the critical flaws fixed on Tuesday is an HTML Help vulnerability that is patched in bulletin MS04-023. The flaw occurs because HTML Help, the standard help system for the Windows platform, does not completely validate input data.
Microsoft's bulletin warned, "Any system where Internet Explorer and mail clients are actively used is primarily at risk from this vulnerability." The vulnerability is one where an attacker must lure a user to a malicious Web site or persuade a user to open a specially crafted URL in an HTML e-mail.
The other critical flaw involves Windows Task Scheduler (MS04-022). An unchecked buffer in Microsoft's tool for scheduling commands, programs or scripts could allow an attacker to take over a machine. The vulnerability could be exploited via a maliciously crafted Web page among other vectors.
Other bulletins address less severe problems in Outlook Express, the Windows Utility Manager, the POSIX Subsystem of Windows, Internet Information Server 4.0 and the Windows shell. A Web page showing summaries of all the bulletins and links to each can be found here.
Although Microsoft ended support for Windows NT 4.0 Workstation with Service Pack 6a and Windows 2000 Service Pack 2 on June 30, the company conducted a vulnerability review for the HTML Help flaw for those platforms in bulletin MS04-023. A fix is included for Windows 2000 SP2. Windows NT 4.0 SP6a is deemed not vulnerable.
Microsoft explained the decision in its bulletin: "The end-of-life for the extended support period occurred very recently. In this case, the majority of the steps that are required to address this vulnerability were completed before June 30, 2004. Therefore, we have decided to release security updates for these operating system versions as part of this security bulletin."
While Microsoft reserved the right to issue fixes for non-supported versions in the future, the company said it did not anticipate repeating the process and encouraged customers with those operating systems to migrate to supported versions.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.