The company said late Wednesday that a bug in a Windows help file could let a hacker seize control of a person's computer. The bug affects most currently supported versions of Windows: 98, 98 Second Edition, Millennium Edition, XP, NT 4, NT 4 Terminal Server Edition and 2000. Microsoft reported two separate problems with the help file system, which warranted issuing a "critical" alert.
Microsoft also issued two "moderate" alerts, one identifying two separate security bugs involving compressed files and the other three problems with Microsoft's Services for Unix 3. A fourth critical alert advised of a cumulative patch for protecting SQL Server 7 and 2000 from hackers.
The alerts follow a string of security warnings from Microsoft. In late September, for example, Microsoftof a bug affecting FrontPage. Some other flaws announced that month Microsoft's Java version and documents.
Microsoft has taken security more seriously since Chairman Bill Gates issued a memo in Januarythe company's priorities. Gates said the company must focus more on security than on the addition of features to software. On Wednesday, Microsoft CEO Steve Ballmer a memo to customers explaining the ways the company is trying to lower the number of bugs in its software. But he conceded "a sad truth about software: Any code of significant scope and power will have bugs in it."
The latest warnings bring to 57 the number of security alerts issued by Microsoft so far this year.
Open to exploitation
Microsoft said the first new flaw discovered exploits a problem with ActiveX, the Microsoft technology that lets programs interact with Web sites and applications. The flaw could allow a buffer overrun, "which could be exploited by a Web page hosted on an attacker's site or sent to a user as an HTML mail," according to the security alert. A successful exploit would allow the hacker "to run code in the security context of the user, thereby gaining the same privileges as the user on the system."
A second help file bug affects shortcuts used to find HTML help files. Normally, only help files "trusted" by the operating system would be able to take advantage of the shortcuts.
"Two flaws allow this restriction to be bypassed," according to the security alert. "First, the HTML help facility incorrectly determines the Security Zone in the case where a Web page or HTML mail delivers a .chm file to the Temporary Internet Files folder and subsequently opens it." The second attack, which would be more difficult to execute, involves HTML e-mail contacting a .chm file and shortcut. Once open, Microsoft said, "the shortcut would be able to perform any action the user had privileges to perform on the system."
Microsoft rated the ActiveX exploit as critical for desktop operating systems but moderate for Internet and intranet servers. The help file exploit is moderate for desktop Windows and low for Internet and intranet servers. Patches are available for 98 and 98 SE, XP, NT 4, NT 4 Terminal Edition and 2000. The Windows Me patch must be retrieved using the Windows Update feature.
A second alert addressed two vulnerabilities related to compressed, or .zip, files. The problem affects Windows 98 versions with the "Plus! Pack" installed, as well as Windows Me and Windows XP. The first problem creates an unchecked buffer overrun when certain files are decompressed. "A specially malformed file name contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker's choice being run," the security alert warned.
The flaw could allow a hacker to place a decompressed file in a file directory other than the one intended. The hacker could, for example, place another malicious program in the Windows startup folder, which would execute when the computer reboots.
Patches are available for 98 and XP. The Windows Me patch must be retrieved using Windows Update. Microsoft rated the security exploits as moderate for desktop operating systems and low for Internet and intranet servers.
The third security alert addressed problems that could affect many third-party software applications. The three vulnerabilities, which affect Windows NT 4, 2000 and XP, could result in denial-of-service attacks or allow hackers to run malicious code.
Microsoft provides developers with tools for making it possible for Windows systems to interoperate with Unix operating systems, such as Sun Microsystems' Solaris. Microsoft uncovered three flaws affecting the Sun RPC (Remote Procedure Call) library in Microsoft's Services for UNIX (SFU) 3.0. Developers "need to evaluate three vulnerabilities," the security bulletin warned.
The fourth security warning alerted customers to the availability of a cumulative patch for four separate, newly discovered flaws involving SQL Server 7 and SQL Server 2000. One buffer overrun exploit could allow for a malicious login and access to other key systems. "It would not be necessary for the user to successfully authenticate to the server or to be able to issue direct commands to it in order to exploit the vulnerability," the security alert warned.
The second flaw, also a buffer overrun, affects the Database Console Commands that, if exploited, could give a hacker "complete control over all databases on the server." Microsoft deemed these and two other exploits, one involving system privileges, as critical. Patches are available for SQL Server 7 and SQL Server 2000.