Want CNET to notify you of price drops and the latest stories?

Fix in for Windows flaw

Microsoft patches "important" security hole in the OS and publishes two early alerts in its new advisory program.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
3 min read
Microsoft on Tuesday issued an "important" Windows security fix as part of its monthly patch cycle, tackling a script injection vulnerability that could allow an attacker to take over a PC.

The software giant also published two early alerts as part of its new pilot program Microsoft Security Advisories, a bulletin confirms reports of flaws and provides workarounds until the company can send out a patch.

The monthly security bulletin addresses a vulnerability found in Windows 2000 service packs 3 and 4 that the company ranks as "important," its second-highest severity rating. The flaw also appears in the older Windows 98, Windows 98 Second Edition and Windows Millennium Edition.

"A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields," Microsoft said in its bulletin. "By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged-on user."

That attacker could install programs and view, change or delete data, or create new accounts with full user rights, Microsoft said.

Security company Symantec has rated the risk from the flaw as "medium," noting that some user interaction is required for it to be used for an attack. For example, the PC user would have to download a corrupt document or save the document from an e-mail attachment, then browse to the document using Windows Explorer.

"It would be fairly easy for an attacker to create a malicious document that could compromise a system and circulate this document through e-mail or Web sites," Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement on Tuesday. "In order to combat this new and other security risks, users should always avoid opening files from unknown sources or following links to unverified sites. In addition, all users should deploy Internet security solutions such as antivirus software and firewall technology."

More recent versions of the operating system are not affected by the flaw. Microsoft said it has tested for vulnerability Windows XP service packs 1 and 2, Windows XP 64-Big Edition Service Pack 1 and Version 2003 for Itanium, XP Professional x64 Edition, Windows Server 2003 and its Service Pack 1, Windows Server 2003 for Itanium-based systems and its related Service Pack 1.

Microsoft is urging people with Windows 2000 SP3 and SP4 to download the security update. For the older versions, Microsoft noted on its Web site that it does not offer security patches to older versions of its software that it no longer supports, unless the vulnerability is rated "critical." The software giant did not offer any workarounds.

A Microsoft representative said Windows 98 users should consult the company's Microsoft Lifecycle Support site about what actions to take.

The software giant also released two security advisories for problems that do not necessarily require a patch from Microsoft. One notes that a default setting in Windows Media Player Digital Rights Management could allow a user to open a Web page without requesting permission.

The second is a clarification of Microsoft's simple mail transfer protocol (SMTP) Tar Pit feature in Windows Server 2003 Service Pack 1 for Exchange Server 2003.

"Microsoft does not require or recommend that all customers implement this (Tar Pit) feature. It has been provided as an option for reducing the effectiveness of certain attacks that utilize standard features of the simple mail transfer protocol," the advisory notes.