Microsoft fixes two zero-day flaws

Microsoft fixed zero-day flaws in Visual Studio and Windows Media Player last week, but recently-disclosed zero-day vulnerabilities in Word remain unpatched for now.

In all, Microsoft released seven security updates. Three address critical problems while four are for issues the software giant deems "important." The patch batch shows how Microsoft is racing to keep up with a steady stream of zero-day threats. The Windows Media Player flaw was just disclosed last week, while the Visual Studio threat appeared in early November.

Zero-day threat: Zero-day tracker a hit, but IT shops need better strategy Microsoft suffers third zero-day in a week Zero-day attacks target Microsoft Visual Studio

Despite the company's speed in dealing with the problem, one security expert said it remains extremely difficult for Microsoft to stay on top of threats that seem to appear at least once a week.

"While we see Microsoft making an attempt to patch zero-day vulnerabilities, they are still struggling to keep up with the continuous influx of zero-day attacks released closely proceeding and immediately following the patch cycle," Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said in an emailed statement.

Three critical fixes
Three security updates fix critical problems attackers could exploit to take full control of targeted machines. Microsoft said an attacker who does this "could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS06-072 fixes four Internet Explorer flaws attackers could exploit by constructing a malicious Web site and luring users to it. They are vulnerabilities that:

• Surface during attempts to access previously freed memory when handling script errors in certain situations.
• Surface when Internet Explorer interprets certain DHTML script function calls.
• Surface when the browser's drag-and-drop operations are handled in certain situations.
• Could allow the path to cached content in the TIF folder to be disclosed.

An attacker who successfully exploits the latter two flaws could retrieve files from the Temporary Internet Files (TIF) folder on a user's system, Microsoft said.

MS06-073 fixes a previously-disclosed zero-day flaw in Visual Studio 2005 that has already been targeted by attackers. The problem is in the WMI object broker control that the WMI wizard uses in Visual Studio 2005.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

MS06-078 fixes two Windows Media Player flaws, one of which was disclosed as a zero-day flaw last week.

The first problem is in how the program handles advanced systems format (.asf) files. "An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an email message with malicious content," Microsoft said.

The second problem, disclosed last week, is in how the program handles certain elements contained in advanced stream redirector (.asx) files. "An attacker could exploit the vulnerability by constructing a specially crafted .asx file that could allow remote code execution if a user visits a malicious Web site, where specially crafted .asx files are used to launch Windows Media player, or if a user clicks on a URL pointing to a specially crafted .asx file," Microsoft said.

Four important fixes
The rest of this month's security updates are for problems Microsoft rated as important.

MS06-074 fixes a memory corruption flaw attackers could exploit in Windows' SNMP service to take complete control of the affected system.

MS06-075 fixes a flaw in how Windows starts applications with specially crafted file manifests. A logged-on user could exploit the flaw to take complete control of the system.

MS06-076 fixes an Outlook Express flaw attackers could exploit by sending the user a corrupt Windows Address Book file.

MS06-077 fixes a flaw in the Remote Installation Service (RIS) that enables a TFTP service on the server. Attackers could exploit this condition to overwrite existing operating system files or upload a specially crafted file. "This could allow an attacker to compromise operating system installs offered by the RIS server," Microsoft said.