Microsoft issues patches for five software flaws

Microsoft has issued its first monthly security update since announcing the initiative last week.

Microsoft has issued its first monthly security update since announcing the initiative last week.

The update consists of five Windows vulnerabilities, four of which the company deemed "critical". 

Three of the flaws affect all recent Microsoft operating systems, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. The fourth critical flaw affects only Windows 2000. 

According to security bulletin MS03-041, there is a vulnerability in Authenticode which, under certain low-memory conditions, could allow an ActiveX control to download and install without asking the user for approval to do so.

An attacker could host a malicious website designed to exploit this vulnerability, Microsoft said. 

Security bulletin MS03-042 details a vulnerability that exists in the Microsoft Local Troubleshooter ActiveX control (Tshoot.ocx), which could allow a buffer overflow so that an attacker could run malicious code on a user's system. 

Security bulletin MS03-043, highlights a flaw in the operating system's Messenger Service that could allow arbitrary code to be executed on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it on to the allocated buffer. 

Another flaw, detailed in security bulletin MS03-044, exists in the Help and Support Centre function that ships with Windows XP and Windows Server 2003. The vulnerability can arise when a file associated with the Human Communications Protocol contains an unchecked buffer. 

An attacker could exploit the vulnerability by constructing a URL which, when clicked on by the user, could execute malicious code. 

The fifth vulnerability, which was listed by Microsoft in Security Bulletin MS03-045 as "important", affects Windows NT, Windows 2000, Windows XP and Windows Server 2003 and could give an attacker "complete control over the system by using Utility Manager in Windows 2000".

Last week, Microsoft chief executive officer Steve Ballmer announced a range of security initiatives to protect customers from what he called a "wave of criminal attacks".

The decision to shift from weekly to monthly security bulletins was part of that effort and was made in response to complaints from Microsoft customers about the difficulty of keeping with weekly releases, Microsoft said.

Linda Rosencrance writes for Computerworld

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.