Fixes in for critical IE, Windows flaws

Three of the 10 bulletins in Microsoft's monthly batch of patches deal with three holes that could let intruders take over a PC.

Microsoft on Tuesday issued three "critical" patches for flaws that could allow a malicious attacker to take remote control of a computer.

One fix deals with vulnerabilities in Internet Explorer, while the others tackle problems with HTML Help and Server Message Block in the Windows operating system. The security bulletins were three of 10 released by the software giant as part of its monthly patch cycle.

"This is definitely a significant set of patches," said Jimmy Kuo, a McAfee fellow. "We have three remote code execution patches--one being for IE, which is prevalent. The other two are for HTML Help and Server Message block, which are also installed on all PCs with Windows"

The other security bulletins included four rated "moderate" that affect Windows and the Exchange e-mail server. Three "important" alerts address problems in Windows, Windows Services for Unix, Internet Security and Acceleration Server and Small Business Server.

Microsoft's rating system deems a security issue as critical--its highest ranking--if it could enable a worm to spread without any action from the PC user. Important flaws are those that could compromise people's data or threaten system resources, while the risk from moderate security holes can be restricted by measures such as configuring the default.

The three critical flaws could allow an intruder to take control of a computer, Microsoft said. The problem in IE is a PNG Image Rendering Memory Corruption vulnerability and affects a range of versions, including IE 6 for Windows XP Service Pack 2.

PNG images are similar to JPEGs and are used in many multimedia formats. The IE vulnerabilities allow fields to be malformed when reading or processing the image. That can result in a buffer overflow and open the system to a remote attacker.

"The PNG vulnerability is the most significant of the three," said Vincent Weafer, a senior director at Symantec Security Response. "This is a file format flaw and it's not something users are thinking of, which is why they need to watch out for it."

The Windows HTML Help vulnerability affects Windows XP Service Packs 1 and 2, Windows 2000 Service Packs 3 and 4, and other versions and service packs.

Although the server message block could let an intruder into a PC, the attacker needs to get authentication on the system to exploit the vulnerability. Among the Windows versions threatened by the flaw are Windows XP Service Packs 1 and 2 and Windows 2000 Service Packs 3 and 4.

Microsoft gave IT administrators a heads-up about the fixes last week as part of its prenotification process. It said it expected "at least one" critical vulnerability among the 10 bulletins that were coming.

Last month, Microsoft's monthly patch cycle contained less severe vulnerabilities, as it issued only one important fix for its Windows 2000 Service Packs 3 and 4. The flaw would allow a malicious attacker to execute arbitrary code and take over users' computers if they were persuaded to view a malicious file.