Critical holes remain after minor Microsoft patch day

Microsoft Corp's latest security patches, issued yesterday, will be thought low priority by most corporate users, but it also emerged yesterday that two unpatched vulnerabilities in Internet Explorer are being actively exploited by malicious hackers.

A posting to the Bugtraq security mailing list on Monday warned of an exploit that works against fully patched installations of IE 6. The problem was later confirmed by security firms including Symantec Corp, which owns Bugtraq.

Oliver Friedrichs, senior manager of Symantec Security Response, said that this attack is actually a combination of two exploits against separate IE vulnerabilities. Used together, attackers can execute code of their choice on victim machines.

Some people are using this to install adware on people’s machines, but they could use it to install malicious programs such as Trojans and backdoors, Friedrichs said. The attack requires victims to visit a web site controlled by the attacker, he said.

A Microsoft spokesperson said the company is investigating and may issue an out-of-cycle patch that would fix the vulnerability, depending on customer needs. In the meantime, the company says a personal firewall could mitigate the risk.

The company issues patches the second Tuesday of every month in order to give systems administrators a predictable schedule to work from. Microsoft did however patch two relatively minor security bugs in its software yesterday.

One problem is in DirectPlay, a component of Microsoft’s DirectX graphics software that enables networked multi-player games. It’s a denial-of-service bug, meaning attackers would be able to crash the DirectPlay-using game.

This bug is largely going to affect game-playing consumer Windows users, rather than enterprise users. Many gamers are extremely competitive, often using software exploits to gain advantage over rival players, Friedrichs noted.

The second vulnerability disclosed yesterday is actually in Crystal Reports software from Business Objects, but affects users who have installed Visual Studio .NET 2003, CRM 1.2 or Outlook 2003, all of which carry Crystal Reports.

The vulnerability, if exploited correctly, would allow attackers to read or delete files, but there are enough mitigating factors that Microsoft chose to issue merely a Moderate warning, the second-lowest rank in its four-rung rating system.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing