Microsoft plugs six holes, including an IE bug that could expose a PC user to attack just for looking at a picture.
The software maker released six security bulletins on Tuesday as part of its monthly patching cycle, describing three of them as "critical." The Redmond, Wash.-based company gives that rating to any security issue that could allow a malicious Internet worm to spread without any action required on the part of the user.
One bulletin addresses three vulnerabilities in the Internet Explorer, Microsoft's widely used Web browser. These issues carry the highest risk of attack out of all the issues fixed, Oliver Friedrichs, a senior manager at Symantec Security Response, said.
Two other flaws, affecting the plug-and-play feature and printing in Windows, could also spell some trouble for users, he said.
An error in the way IE handles JPEG images is especially alarming, according to Symantec. An attacker could commandeer a PC by crafting a malicious image and tricking the victim to look at it on a Web site or in an HTML e-mail, for example, Microsoft said in its MS05-038 security bulletin.
"These vulnerabilities can be leveraged by malicious Web sites to install spyware, Trojan horses, bots or other programs on an unsuspecting user's machine," Friedrichs said.
The other two IE flaws could also enable an attacker to take control of a user's computer. One vulnerability lies in how the browser handles URLs, related to a feature that lets users view file folders in IE. The other deals with the ability of IE to call on other parts of Windows and is similar to a problem patched last month.
While the IE issues affect all currently supported versions of the browser and Windows, Microsoft's two other "critical" security bulletins have a more limited scope. These aren't as far-reaching within Microsoft's more recent operating system products.
A flaw in the plug-and-play feature in Windows could allow an anonymous attacker to remotely access and control Windows 2000 systems, Microsoft said in security bulletin MS05-039. However, such an attack is not possible on computers running Windows XP with Service Pack 2 and Windows Server 2003, the company said.
Also, a bug in the Windows print spooling service could let an intruder gain access to machines running Windows 2000 and Windows XP with Service Pack 1. The same attack on systems running Windows XP SP2 and Windows Server 2003 would only cause a crash, according to Microsoft's MS05-043 bulletin.
All current versions of Microsoft's operating system are vulnerable to a problem with a Windows component that supports telecommunication, Microsoft said in its MS05-040 bulletin, rated "important." However, it primarily affects servers configured as telephony servers, the company said. An attacker could commandeer such a system by sending it a specially crafted request.
The two remaining bulletins are rated "moderate." One fixes a previously known security flaw that, using a problem in the Remote Desktop Protocol, could let a hacker remotely crash computers running Windows. The other relates to Microsoft's implementation of the Kerberos authentication protocol.
RDP is a protocol that enables remote access to Windows systems. Because of a flaw in the way Windows handles remote desktop requests, an attacker could crash a PC by sending a malformed remote request, Microsoft said in bulletin MS05-041.
The Kerberos problem affects only Windows 2000 and Windows Server 2003 systems used as domain controllers. A specially crafted message sent to a system could cause it to crash, Microsoft said.
Another flaw related to Kerberos could let an attacker spoof a domain controller and potentially access a network, but can't be exploited by anonymous users, Microsoft said in bulletin MS05-042.
Microsoft urges its customers to apply the patches as soon as possible. Users of Automatic Updates in Windows will get the patches automatically. Microsoft is not aware of any current attacks that take advantage of the problems patched in the bulletins.