X

Microsoft patches holes in Windows

The software maker fixes three new security holes in its operating system, warning that one flaw could let a hacker run code on victims' PCs.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
See full bio
Ina Fried
2 min read
Microsoft on Wednesday warned of three new security gaps in its software, including one "critical" Windows flaw that could allow a hacker to run unauthorized code on victims' PCs.

The most serious of the flaws is what is known as a buffer overrun vulnerability, which could allow an attacker to use an unchecked buffer to run their own executable code.

This flaw, located in the HTML converter in Microsoft's Windows operating system, could be used by hackers to spread the code either by sending an HTML e-mail or by creating a special Web page that triggers a download of the code.

Because the security hole can be exploited without any action on the part of the user, Microsoft described it as critical, the highest rating in the software maker's four-level system.

The vulnerability exists in many recent versions of Windows, including Windows XP, Windows 2000, Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 Server and Windows Server 2003. However, the flaw is only rated moderate for Windows Server 2003, because that software ships with a setting known as Enhanced Security Configuration designed to minimize the risk of unauthorized code being launched.

Microsoft posted a patch for the vulnerability on its Web site.

"We certainly want everyone to apply the patch in order to protect their computers," Microsoft Security Response Center's Stephen Toulouse said.

Toulouse said the company learned of the flaw after it was posted to several security mailing lists last month.

"We are disappointed that the finder chose not to bring that directly to us," Toulouse said. "As soon as we were made aware of that, we began our program to develop a fix as fast as we could."

The other Microsoft bulletins deal with two flaws rated as "important." The first of these deals with another buffer overrun problem in Windows NT, Windows 2000 Server and Windows XP. The vulnerability is related to the Server Message Block (SMB) protocol used by the operating system to share files and printers, among other things.

The last of the warnings deals with a flaw within Windows 2000's utility manager that could allow a user to elevate their system privileges.

The alerts are the latest in a string of periodic bulletins from Microsoft and are its 23rd, 24th and 25th such warnings of the year. Last month the company issued fixes for two security holes in its media software. In May, Microsoft warned of vulnerabilities in its Internet Information Services (IIS) software.