Microsoft patches three 'critical' software flaws

Microsoft Corp. released three software patches rated "critical" late last week. The patches plug holes in Internet Explorer, Windows XP, SQL Server 2000 and Commerce Server 2000.

Two of the patches aim to fix information disclosure flaws in Microsoft's Web browser Internet Explorer (IE).

The first flaw exists in IE versions 5.01, 5.5 and 6.0. Through it, malicious Web site operators can read files on users' computers and tap information entered into the Web browser such as usernames, passwords and credit card details, Microsoft said in security bulletin MS02-009. ( problem lies in the way IE handles scripting across domains within frames, Microsoft said. The flaw allows VBScript, Microsoft's script language, running in one domain -- the domain of the attacker -- to read data in a frame belonging to another domain, which could be the user's local PC or an online shop.

To be exposed to this VBScript handling flaw, a user would have to go to a Web site that is under the attacker's control or open an HTML (Hypertext Markup Language) e-mail from the attacker, Microsoft said. The patch fixes the vulnerability by instituting domain verification handling for VBScript.

The second information disclosure flaw also requires a user to visit an attacker's Web site and would allow the attacker to read files on users' systems, Microsoft said in security bulletin MS02-008. ( This flaw requires patching of Internet Explorer 6.0, the operating system Windows XP and database server SQL Server 2000, as these applications all contain the flawed code.

This vulnerability, dubbed the XMLHTTP bug by security experts because it appears in the XMLHTTP ActiveX control, has been waiting for a plug since it was published on Dec. 15 last year.

The ActiveX control is part of Microsoft's XML Core Services software. Flawed versions of the control ship as part of Windows XP, IE 6.0 and SQL Server 2000. They do not respect the security zone settings in IE, allowing a Web page to specify a file on a user's computer as an XML (Extensible Markup Language) data source as a means of reading the file, Microsoft said. XML Core Services software is used by other applications to parse, generate , validate and transform XML documents so that the information can be displayed, stored or manipulated, Microsoft said.

The third patch Microsoft issued is to fix a buffer overrun flaw in Commerce Server 2000, software that supports electronic commerce Web sites. The flaw was discovered as part of Microsoft's internal security code review, the company said. An attacker exploiting the flaw could gain full control over the system running the software by sending a malformed request to it, Microsoft said in security bulletin MS02-010. ( flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default, Microsoft said. All administrators using Commerce Server 2000 are urged to patch their systems.

Installing URLscan, a software tool recommended by Microsoft, will protect Commerce Server 2000 installations from being taken over by an attacker, but the server can still be caused to fail by sending it a malformed request, Microsoft noted. Earlier versions of the software, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, the software maker said.

Thor Larholm, a Danish Internet programmer and security expert who maintains a list of security holes Microsoft has yet to patch on his Web site at, said Microsoft is on the right track.

"It is nice to see that they have patched most of the holes listed on my site, but it is frightening to witness the amount of time it took and the pressure from the public that was needed," he said. "However, Microsoft's actions are a promising trend and I hope their initiative to put more focus on security will outlive the month."

Microsoft has announced it will take a break of about a month from developing new code to go back to the already written software and check that for security flaws. [See "Microsoft takes a break to clean its code," Feb. 4.] The now-patched Commerce Server 2000 flaw seems to be the first result of those efforts.

"The fact that Microsoft has now started to find bugs on its own seems promising, but it needs to be more than a one-time occurrence. Microsoft needs to rethink fundamental parts of its security processes, as it is too easy for outsiders, with no access to Microsoft's closed source, to find new security holes," Larholm said.

Notwithstanding the patches, IE remains vulnerable, according to Larholm.

"Internet Explorer remains insecure. In the next month or two we will probably have about five new vulnerabilities. I have listed three current vulnerabilities that aren't public yet, but were discovered by a software firm. Microsoft is currently investigating these holes that allow an attacker to read local files," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?