Microsoft has released a critical software patch for
Windows to address a vulnerability that could allow an attacker to
execute remote code on another machine.
This
vulnerability was privately reported to Microsoft and exists in
Microsoft Agent. It handles certain specially crafted URLs. The
vulnerability could allow an attacker to remotely execute code on
the affected system. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users
who operate with administrative user rights.
Symantec Security Response rates the remote code execution
vulnerability in Microsoft Agent ActiveX as critical, since
ActiveX controls run on a significant number of systems. Consumers
and enterprise users using Microsoft Windows 2000 are susceptible
to exploits if they visit a malicious Web page. A successful
exploit could allow an attacker to install malicious code of his or
her choice, and could potentially allow the attacker to gain
complete control of the affected system.
"Symantec has observed a significant increase in ActiveX
vulnerabilities this year," said Kevin Hogan, senior manager at
Symantec Security Response. "Due to the availability of public
proof-of-concept code, we also think the MSN Messenger and Windows
Live Messenger vulnerability is a high urgency issue."