News

Microsoft patches flaw in MSN and Gopher

Microsoft has released two security bulletins, the first updating a patch the company released for a handful of its chat software clients in May. The second detailed a work-around to a flaw in its Internet Explorer Web browser that came as a result of the ageing Gopher protocol.

The vulnerability in MSN Chat, MSN Messenger and Exchange Instant Messenger addressed by the patch released on 8 May could have allowed an attacker to run code on target machines via a buffer overflow in ActiveX.

The original patch did not, however, stop the affected ActiveX component from being reinstalled on systems in all cases, leaving the potential for patched systems to become vulnerable again, Microsoft said. To address this, the company released another set of fixes for all three affected products.

Buffer overflows occur when the space reserved for programs or services in memory is over run, allowing attackers to run code or take over systems.

In May, the company released a patch for Internet Explorer that, security researchers charged, did not close all the holes it claimed to.

Microsoft encountered a similar problem in February, when another patch for IE caused the browser to crash.

The software company also released a security bulletin detailing a way for users to protect themselves from attack using the Gopher protocol. Microsoft has not yet released a patch to fix the issue.

The Gopher vulnerability potentially gives a remote user access to a host computer, by exploiting a buffer overflow bug in IE's gopher code.

The company's warning about the Gopher vulnerability marks Microsoft's official acknowledgement of the bug. When Online Solutions, the Finnish company that discovered the flaw, released its advisory, Microsoft said only that it was investigating the issue and did not confirm it.

The new security alert, patches and updated versions of the programs can be found at www.microsoft.com/technet/security/bulletin/MS02-022.asp

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy