Microsoft patches three 'critical' software flaws

Microsoft Corp. released three software patches rated "critical" late last week. The patches plug holes in Internet Explorer, Windows XP, SQL Server 2000 and Commerce Server 2000.

Two of the patches aim to fix information disclosure flaws in Microsoft's Web browser Internet Explorer (IE).

The first flaw exists in IE versions 5.01, 5.5 and 6.0. Through it, malicious Web site operators can read files on users' computers and tap information entered into the Web browser such as usernames, passwords and credit card details, Microsoft said in security bulletin MS02-009. ( problem lies in the way IE handles scripting across domains within frames, Microsoft said. The flaw allows VBScript, Microsoft's script language, running in one domain -- the domain of the attacker -- to read data in a frame belonging to another domain, which could be the user's local PC or an online shop.

To be exposed to this VBScript handling flaw, a user would have to go to a Web site that is under the attacker's control or open an HTML (Hypertext Markup Language) e-mail from the attacker, Microsoft said. The patch fixes the vulnerability by instituting domain verification handling for VBScript.

The second information disclosure flaw also requires a user to visit an attacker's Web site and would allow the attacker to read files on users' systems, Microsoft said in security bulletin MS02-008. ( This flaw requires patching of Internet Explorer 6.0, the operating system Windows XP and database server SQL Server 2000, as these applications all contain the flawed code.

This vulnerability, dubbed the XMLHTTP bug by security experts because it appears in the XMLHTTP ActiveX control, has been waiting for a plug since it was published on Dec. 15 last year.

The ActiveX control is part of Microsoft's XML Core Services software. Flawed versions of the control ship as part of Windows XP, IE 6.0 and SQL Server 2000. They do not respect the security zone settings in IE, allowing a Web page to specify a file on a user's computer as an XML (Extensible Markup Language) data source as a means of reading the file, Microsoft said. XML Core Services software is used by other applications to parse, generate , validate and transform XML documents so that the information can be displayed, stored or manipulated, Microsoft said.

The third patch Microsoft issued is to fix a buffer overrun flaw in Commerce Server 2000, software that supports electronic commerce Web sites. The flaw was discovered as part of Microsoft's internal security code review, the company said. An attacker exploiting the flaw could gain full control over the system running the software by sending a malformed request to it, Microsoft said in security bulletin MS02-010. ( flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default, Microsoft said. All administrators using Commerce Server 2000 are urged to patch their systems.

Installing URLscan, a software tool recommended by Microsoft, will protect Commerce Server 2000 installations from being taken over by an attacker, but the server can still be caused to fail by sending it a malformed request, Microsoft noted. Earlier versions of the software, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, the software maker said.

Thor Larholm, a Danish Internet programmer and security expert who maintains a list of security holes Microsoft has yet to patch on his Web site at, said Microsoft is on the right track.

"It is nice to see that they have patched most of the holes listed on my site, but it is frightening to witness the amount of time it took and the pressure from the public that was needed," he said. "However, Microsoft's actions are a promising trend and I hope their initiative to put more focus on security will outlive the month."

Microsoft has announced it will take a break of about a month from developing new code to go back to the already written software and check that for security flaws. [See "Microsoft takes a break to clean its code," Feb. 4.] The now-patched Commerce Server 2000 flaw seems to be the first result of those efforts.

"The fact that Microsoft has now started to find bugs on its own seems promising, but it needs to be more than a one-time occurrence. Microsoft needs to rethink fundamental parts of its security processes, as it is too easy for outsiders, with no access to Microsoft's closed source, to find new security holes," Larholm said.

Notwithstanding the patches, IE remains vulnerable, according to Larholm.

"Internet Explorer remains insecure. In the next month or two we will probably have about five new vulnerabilities. I have listed three current vulnerabilities that aren't public yet, but were discovered by a software firm. Microsoft is currently investigating these holes that allow an attacker to read local files," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?