Microsoft patches three 'critical' software flaws

Microsoft Corp. released three software patches rated "critical" late last week. The patches plug holes in Internet Explorer, Windows XP, SQL Server 2000 and Commerce Server 2000.

Two of the patches aim to fix information disclosure flaws in Microsoft's Web browser Internet Explorer (IE).

The first flaw exists in IE versions 5.01, 5.5 and 6.0. Through it, malicious Web site operators can read files on users' computers and tap information entered into the Web browser such as usernames, passwords and credit card details, Microsoft said in security bulletin MS02-009. (http://www.microsoft.com/technet/security/bulletin/MS02-009.asp)The problem lies in the way IE handles scripting across domains within frames, Microsoft said. The flaw allows VBScript, Microsoft's script language, running in one domain -- the domain of the attacker -- to read data in a frame belonging to another domain, which could be the user's local PC or an online shop.

To be exposed to this VBScript handling flaw, a user would have to go to a Web site that is under the attacker's control or open an HTML (Hypertext Markup Language) e-mail from the attacker, Microsoft said. The patch fixes the vulnerability by instituting domain verification handling for VBScript.

The second information disclosure flaw also requires a user to visit an attacker's Web site and would allow the attacker to read files on users' systems, Microsoft said in security bulletin MS02-008. (http://www.microsoft.com/technet/security/bulletin/MS02-008.asp) This flaw requires patching of Internet Explorer 6.0, the operating system Windows XP and database server SQL Server 2000, as these applications all contain the flawed code.

This vulnerability, dubbed the XMLHTTP bug by security experts because it appears in the XMLHTTP ActiveX control, has been waiting for a plug since it was published on Dec. 15 last year.

The ActiveX control is part of Microsoft's XML Core Services software. Flawed versions of the control ship as part of Windows XP, IE 6.0 and SQL Server 2000. They do not respect the security zone settings in IE, allowing a Web page to specify a file on a user's computer as an XML (Extensible Markup Language) data source as a means of reading the file, Microsoft said. XML Core Services software is used by other applications to parse, generate , validate and transform XML documents so that the information can be displayed, stored or manipulated, Microsoft said.

The third patch Microsoft issued is to fix a buffer overrun flaw in Commerce Server 2000, software that supports electronic commerce Web sites. The flaw was discovered as part of Microsoft's internal security code review, the company said. An attacker exploiting the flaw could gain full control over the system running the software by sending a malformed request to it, Microsoft said in security bulletin MS02-010. (http://www.microsoft.com/technet/security/bulletin/MS02-010.asp)The flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default, Microsoft said. All administrators using Commerce Server 2000 are urged to patch their systems.

Installing URLscan, a software tool recommended by Microsoft, will protect Commerce Server 2000 installations from being taken over by an attacker, but the server can still be caused to fail by sending it a malformed request, Microsoft noted. Earlier versions of the software, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, the software maker said.

Thor Larholm, a Danish Internet programmer and security expert who maintains a list of security holes Microsoft has yet to patch on his Web site at http://www.jscript.dk/, said Microsoft is on the right track.

"It is nice to see that they have patched most of the holes listed on my site, but it is frightening to witness the amount of time it took and the pressure from the public that was needed," he said. "However, Microsoft's actions are a promising trend and I hope their initiative to put more focus on security will outlive the month."

Microsoft has announced it will take a break of about a month from developing new code to go back to the already written software and check that for security flaws. [See "Microsoft takes a break to clean its code," Feb. 4.] The now-patched Commerce Server 2000 flaw seems to be the first result of those efforts.

"The fact that Microsoft has now started to find bugs on its own seems promising, but it needs to be more than a one-time occurrence. Microsoft needs to rethink fundamental parts of its security processes, as it is too easy for outsiders, with no access to Microsoft's closed source, to find new security holes," Larholm said.

Notwithstanding the patches, IE remains vulnerable, according to Larholm.

"Internet Explorer remains insecure. In the next month or two we will probably have about five new vulnerabilities. I have listed three current vulnerabilities that aren't public yet, but were discovered by a software firm. Microsoft is currently investigating these holes that allow an attacker to read local files," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?