[ISN] Microsoft reports two bugs, third identified

InfoSec News isn at c4i.org
Thu Feb 9 01:42:17 EST 2006


By Jeremy Kirk
IDG News Service

Microsoft is warning of two bugs in its software that could
potentially give unauthorized control or access over a person's
computer, while a third problem has been highlighted by a security
research company.

One vulnerability revisits the Windows Metafile (WMF) debacle from
December, but impacts fewer users. The bug is in Internet Explorer
(IE) 5.01 Service Pack 4 on the Windows 2000 Service Pack 4 OS and IE
5.5 Service Pack 2 on Windows Millennium, Microsoft said.

An attacker could gain control if a user opened a malicious e-mail
attachment or if a user were persuaded into visiting a Web site that
had a specially-crafted WMF image, Microsoft said.

A patch has not been issued, but Microsoft said the issue is under
investigation, and an out-of-cycle patch could be provided depending
on customer needs. Microsoft typically issues patches on the second
Tuesday of the month, due this month on Feb. 14.

A second vulnerability could allow a person with low-user privileges
gain higher-level access, Microsoft said. Proof-of-concept code that
has been released attempts to exploit overly permissive access
controls on third-party application services, along with the default
services of Windows XP Service Pack 1 and Windows Server 2003, the
company said. No attacks have been reported.

Microsoft said several factors diminish the threat of the problem.  
Those running Windows XP Service Pack 2 and Windows Server 2003
Service Pack 1 - the latest updates of the software - are not
affected, and someone who launches an attack would need authenticated
access to the affected operating system, it said.

Security vendor Secunia detailed a third vulnerability involving
Microsoft's HTML Help Workshop, software that can create online help
for a software application or Web site content.

Secunia said the problem "is caused due to a boundary error within the
handling of a '.hhp' file that contains an overly long string in the
'contents file' field. This can be exploited to cause a stack-based
buffer overflow and allows arbitrary code execution when a malicious
'.hhp' file is opened."

The bug could allow arbitrary code to be executed on a computer,
Secunia said. An exploit has been released, and Secunia advised that
untrusted .hhp files not be opened.

More information about the ISN mailing list