Microsoft patches new Windows flaw

The software company says the security hole, which could enable an attacker to remotely execute malicious code, poses an "important" risk.

Ina Fried Former Staff writer, CNET News

During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.

See full bio

Ina Fried

May 11, 2004 5:34 p.m. PT

Microsoft on Tuesday detailed a new vulnerability in Windows XP and Windows Server 2003 that could enable an attacker to remotely execute malicious code.

The software maker described the problem as "important," its second-highest rating for such problems. Antivirus software maker Symantec, meanwhile, characterized the vulnerability as "high risk," citing the impact that there could be if the vulnerability was successfully exploited.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The flaw exists in the way Windows' Help and Support Center validates information that is sent to it. The software maker released a patch for the vulnerability and urged customers to "install the update at the earliest opportunity." The patch is posted to the company's security Web site, as is a "="" rel="noopener nofollow" class="c-regularLink" target="_blank">bulletin outlining the flaw.

The bulletin was released as part of Microsoft's regularly scheduled monthly security update, according to Stephen Toulouse, a security program manager in the Microsoft Security Response Center. As for the rating level, Toulouse said Microsoft typically only deems vulnerabilities "critical"--the highest level--if they can be exploited without the user taking any action.

The announcement of the flaw comes as Microsoft works to battle the outbreak of the Sasser worm and its variants. The software giant has been touting the arrest of a German teenager believed responsible for Sasser and other recent infections.

However, unlike Sasser, the latest vulnerability cannot be exploited simply through an e-mail worm. According to Symantec and Microsoft, there are a number of steps the user would need to take in order for their system to be compromised. Most likely, an attacker would have to host a Web site with a page designed to exploit the vulnerability and convince a user with an unpatched system to visit the site and perform several actions.

Microsoft warned of the vulnerability that led to Sasser in a bulletin last month.

The patch released Tuesday by Microsoft to fix the new flaw also makes two other changes designed to make Windows more secure. First, Microsoft removed a feature in Windows XP that gave users the option to upgrade a DVD decoder, in a move designed to prevent malicious exploitation of the feature.

Second, Microsoft eliminated a feature in the Help and Support Center that sometimes prompts people to send out information on their system's hardware after they run the "Found new hardware" wizard. Now, instead of being prompted to send their hardware information, users will now get an error message at the end of installing new hardware.