Microsoft patches critical bugs in IE, Windows

Microsoft has released 10 security patches, including critical fixes for Windows and Internet Explorer.

Microsoft released 10 security patches, including three deemed "critical," for bugs in a variety of the company's products. Released Tuesday as part of the company's monthly updates, the critical patches repair flaws in Windows and Internet Explorer that could allow attackers to take complete control of a computer, Microsoft said.

The bug in Internet Explorer could theoretically allow Web pages with malicious code stored in the form of PNG (Portable Network Graphics) graphics files to gain control of a user's system. Microsoft also found a similarly critical bug in the Windows HTML (Hypertext Markup Language) Help system, as well as a flaw in Microsoft's SMB (sever message block) file sharing protocol.

"There is the potential for an attacker to somehow create an automated attack that could result in some sort of virus or worm," said Stephen Toulouse, security program manage with Microsoft's Security Response Center.

All three of the critical flaws were generally unknown before Tuesday, and they affect all supported versions of Windows, Toulouse said. None of the 10 bugs that were reported and patched has yet been exploited by attackers, he added.

Bulletins were also issued for important vulnerabilities in Web Client Service, Outlook Web Access for Exchange Server 5.5, Outlook Express, and Windows Interactive Training.

Moderate vulnerabilities were reported in Microsoft Agent, Telnet Client, and ISA Server 2000, Microsoft said.

Microsoft also re-released three patches, numbered MS05-019, MS02-035 and MS05-004. Some of these patches were re-released because they had stopped certain applications from running on Windows, Microsoft said.

Though it only merited a moderate rating, the Microsoft Agent bug is serious because it could allow attackers to gain control over pop-up messages on a user's desktop, said Russ Cooper, senior scientist at Cybertrust and editor of the NTBugtraq discussion list.

Agent is user interface software that is often preinstalled on computers in order to generate cartoon-like characters, similar to Microsoft Office's "Clippy" paperclip, which are used in some Web-based help systems.

If exploited, the Agent bug could trick users into downloading malicious code, by intercepting or spoofing the computer's pop-up security warnings, Cooper said. For example, it could turn an Internet Explorer security warning into a message that said, "I have now verified that this is, in fact, your bank," he said.

The vulnerability was rated moderate because Agent is not always automatically enabled and because the vulnerability does not directly allow an attacker to gain control of the system, according to Toulouse.

Tuesday's patches cover many more products than last month's security bulletin, which concerned only Microsoft Web View. This means that administrators will be spending more time testing and patching their systems this month, said Mitchell Ashley, chief technology officer with security vendor StillSecure. "This month's [bulletin] is really affecting a number of widespread products from Microsoft, both on the desktop and the server," he said.

StillSecure is the business name of Latis Networks.

The June Security Bulletin will be discussed during a webcast, scheduled for Wednesday at 11:00 a.m. Pacific Time. More information can be found here: http://www.microsoft.com/technet/security/bulletin/ms05-jun.mspx

Microsoft's next scheduled Security Bulletin will be released on July 12.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?