Seven Microsoft Security Alerts; Two Critical

Security updates from Microsoft have become an annoying monthly ritual for most computer-dependent people, and small business owners are no exception. Still, as frustrating as it may be, updating your systems is necessary in order to keep your PC and network security up to date.

Microsoft’s July updates consist of seven security patches, including two critical vulnerabilities found in the Windows Task Scheduler and HTML Help features.

Critical
&#8226 As part of its monthly patch release cycle, the software giant warned that the Task Scheduler contains a buffer overflow that puts users at risk of computer takeover.

“If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges,” the company warned in an advisory.

Affected products include Windows 2000 and Windows XP. The Windows NT Workstation and Windows NT Server operating systems are not affected by default. However, if Internet Explorer 6.0 Service Pack 1 has been installed on those systems, the vulnerable component exists, Microsoft said.

&#8226 Microsoft issued a separate alert for a vulnerability in HTML Help that could also lead to code execution attacks. The critical flaw affects Windows 98, Windows Millennium Edition (Me), Windows 2000, Windows XP and Windows Server 2003.

According to the alert, the HTML Help hole could allow an attacker to “take complete control of an affected system.” A successful attacker could commandeer machines to install programs; view, change, or delete data; or create new accounts with full user privileges. “Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.”

Important
&#8226 Microsoft released a patch for a remote-code execution vulnerability in the way that the Windows Shell launches applications. This flaw could also leave systems at risk of system takeover. Microsoft said exploiting this vulnerability requires significant user interaction, noting that users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

&#8226 The company also released a privilege-elevation vulnerability patch to correct the way that Utility Manager launches applications. According to the alert, a logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system. “An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges,” the company warned.

&#8226 The company also plugged a privilege elevation hole in the POSIX operating system component (subsystem) that could be exploited to allow an attacker to take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

&#8226 AMS also released separate patch for a bug found in IIS 4.0.

Moderate
&#8226 And finally, Microsoft issued a cumulative update to plug a denial-of-service hole in Outlook Express.

Adapted from internetnews.com.