Microsoft fixes quintet of security holes
The software giant patches several security holes in its Internet Explorer and Office software, closing five potential avenues for online attacks against its customers.
The flurry of specific bug patches comes as Microsoft moves to implement broader security measures. The company came under heavy criticism for its security policies following the widespread damage caused by the "I Love You" virus, which exploited standard features of Microsoft's Outlook email application.
Microsoft this week yielded to that criticism, pledging to implement safeguards in Outlook.
Four of the patched holes are in Microsoft's IE browser. All of them made computers vulnerable to invasions by malicious Web site operators, or senders of HTML email.
The first, the "Frame Domain Verification" hole, concerns the way IE governs the behavior of Web site frames, the windows within windows that sites use to present multiple pages simultaneously. Normally, IE only lets the "parent" window access data in the frame.
The problem with IE is that in some cases, it fails to check the Web site address, or domain, of the frame against the frame of the parent window. A Web site operator could exploit that vulnerability to access Web files, whose names he or she would have to know or guess, from a visitor's computer through a secondary frame.
The second patched hole exposes Web site visitors' cookies to malicious site operators.
Cookies authenticate visitors' identities on their return to Web sites and store data about their activities and purchases; IE checks to make sure that a Web site requesting a cookie is the same Web site that put it there in the first place. But through an alteration in the coding of Web addresses, a site can slither around IE's security check. With the security patch, IE will recognize the dodge.
The third hole, the "Malformed Component Attribute" vulnerability, involves the way IE handles ActiveX--a technology with an already spotty security reputation--which Web sites use to take actions on a visitor's computer without his or her interaction.
IE's code for running ActiveX components contains a buffer overflow bug. Said to be the most common security problem of the past decade, buffer overflow attacks result from the flooding of a field, such as an address bar, with more characters than it can accommodate.
The improperly coded buffer responds to such attacks by crashing the application, and the excess code, potentially malicious, can be run upon restarting the computer.
The patch fixes a fourth hole, which Microsoft has tackled once already, called the "WPAD Spoofing" vulnerability.
IE 5 has a feature called Web Proxy Auto-Discovery (WPAD), which automatically determines the right settings for the proxy servers that act as buffers between networks, such as corporate intranets, and the wider Internet.
The problem with WPAD is that in searching for the proxy server, it searches for it outside the network if it fails to find it within the network. That lets a malicious hacker give settings to the browser that would facilitate a broader attack.
The first patch, included in IE 5.01, prevents the browser's search for the proxy server from leaving the network. But what Microsoft termed "a new variant" of the problem cropped up in the interim.
All four IE vulnerabilities, which affect versions 4.0, 4.01, 5.0 and 5.01, are fixed by the same patch. It is available for download through IE; the page appears blank to people using AOL's Communicator browser.
The fifth Web security hole Microsoft patched afflicts the company's Office 2000 suite of applications, which includes Word, Excel, PowerPoint, Access, PhotoDraw, FrontPage, Project, Publisher, Outlook and Works. Those applications are also sold separately.
The Office 2000 problem concerns an improperly labeled ActiveX control that Microsoft uses to demonstrate various tools in the Office suite. Office's user assistance tool, or "UA Control," is marked "safe for scripting," allowing it to be manipulated by hostile Web sites or HTML-email senders.
The "safe for scripting" designation normally indicates that an ActiveX control is harmless. But the control "exposes fairly powerful functionality that is inappropriate for use by Web sites," according to Microsoft's posting on the issue. The patch is available for download.
Despite Microsoft's pile of Web security bug patches, more remain to be fixed. The company this week acknowledged a problem with its version of IE for the Macintosh. The bug concerns the browser's handling of the Java programming language and, like the bugs patched this week, opens a computer to malicious HTML code.