View Full Version : Microsoft Issues Patches For Critical Flaws


Andrew
11-14-03, 06:27 PM
Microsoft last week issued three critical and one important patch for an assortment of its products. However, the security community appears concerned with the length of time it took the software giant to produce one of the critical patches--more than nine months from its initial reporting--and publicly released exploit code.

A buffer overrun in the remote debug functionality of FrontPage Server Extensions running on Windows 2000 and XP could allow an attacker to run code with local privileges. FrontPage Server Extensions also contains a denial-of-service flaw in SmartHTML interpreter, a set of dynamic link library files that support dynamic Web content.

"Exploit code targeting the vulnerability in MS-051 has been published," says David Kennedy, director of research services at TruSecure. "FrontPage is exposed because its function is to update content. FrontPage is also commonly used in a Web hosting environment thus an attacker could exploit one server and leverage that to additional servers at the same host, even ones not running Front Page."

Meanwhile, the Full Disclosure security mailing list is humming with criticism that it took Microsoft so long to patch the vulnerability.

Brett Moore of Security-Assessment.com, a provider of intrusion testing and security code review, says he reported the flaw to Microsoft on Jan. 30.

Microsoft didn't comment by presstime.

Other patches include a cumulative update to correct five new flaws in IE 5.01/5.5/6.0. Another critical alert was issued for Workstation Service in Windows 2000/XP and Front Page Server Extensions in Windows NT/2000/XP/Server 2003. Microsoft also released less severe warnings about flaws in Office applications, Word and Excel. Both flaws could allow remote code execution.

Microsoft recommends admins install the critical patches immediately.

Read more on the flaws: http://www.searchSecurity.com/originalContent/0,289142,sid14_gci936407,00.html

Advisories: http://www.microsoft.com/technet/security/bulletin/MS03-048.asp
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
http://www.microsoft.com/technet/security/bulletin/MS03-051.asp