Microsoft plugs worm hole in Windows

"Critical" flaw could let worm spread, company says, as it sends updates addressing 18 problems in Windows, Office.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Microsoft on Tuesday made available fixes for 18 security vulnerabilities in Windows and Office software.

The patches were delivered in seven security bulletins, five of which Microsoft deems "critical," its most serious rating. One of the urgent fixes addresses a flaw in a Windows component that could be used to spread a worm. Other updates deal with Office flaws that have already been used in targeted attacks.

Four updates tackled five Windows-related issues, including a security hole in a Windows component called "mailslot." The flaw poses the most severe risk in Tuesday's bunch, security specialist Symantec said in a statement. By sending a specially crafted network packet, an intruder could use the hole to remotely commandeer a vulnerable computer, without user interaction. The flaw affects Windows 2000, Windows XP and Windows Server 2003, Microsoft said in security bulletin MS06-035.

This means that the "mailslot" flaw could be exploited to launch a worm that could wreak havoc on the Internet. Because the flaw allows malicious code to execute without the PC owner doing anything, such as opening a file, it gives a worm a way to self-replicate.

"This vulnerability is the only worm candidate among the patched vulnerabilities today," Monty IJzerman, senior manager at McAfee Avert Labs said in a statement. Systems running Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1 are at a lesser risk to this flaw because the operating systems do not have services listening on mailslots by default, according to Microsoft.

A "mailslot" is a temporary mechanism utilized by applications and operating system processes to facilitate unidirectional data transfer on Windows systems.

An error in the Windows Dynamic Host Configuration Protocol, or DHCP, client on the same systems similarly opens the door to a remote attack via a malicious network packet. However, an attacker has to be on the same subnetwork as the intended target, Microsoft said in bulletin MS06-036.

"Remotely exploitable vulnerabilities can pose a serious threat to organizations because they do not require user interaction and can be attacked from across the Internet," Dave Cole, director of Symantec Security Response, said in a statement.

Three of Microsoft's security bulletins address flaws in Office. Of those, one is dedicated to Excel and offers a fix for a total of eight flaws in the spreadsheet application. This includes patches for two so-called zero-day vulnerabilities that have already had attack code pushed out on the Internet.

All of the 13 Office-related vulnerabilities addressed by Tuesday's patches can be exploited by crafting a malicious Office document, according to Microsoft's security alerts. They could give complete control over a vulnerable system if the document is opened, the software maker said.

Office 2000 users are at higher risk because that version of the productivity software does not display an extra warning when it opens files from the Outlook e-mail client, Microsoft said. The Office and Excel flaws are detailed in security bulletins MS06-037, MS06-038 and MS06-039.

In addition to the five critical bulletins, Microsoft released two alerts labeled "important," one notch below the highest rating. Both primarily affect Web servers running Windows software.

One, MS06-034, addresses a flaw that primarily exposes Web servers that allow users to upload new content, Microsoft said. An attacker could upload a malformed ASP file and commandeer the server. The other, MS06-033, could allow an attacker to view the contents of the applications folder on a Web server.

Microsoft recommends that people install the critical fixes immediately. The updates are available via the Windows Update and Automatic Updates tools. Temporary workarounds are outlined in the security bulletins for those who can't immediately apply the patches.