Microsoft patches three flaws

gallery

Microsoft has patched three vulnerabilities in its Windows software with two patches as part of its monthly Patch Tuesday bulletin issued late yesterday.

As reported last week, one of the flaws was given Microsoft highest severity ranking as 'critical' and addresses a Windows transmission control protocol/internet protocol (TCP/IP) vulnerability that could allow a remote code execution, giving an attacker complete control of the system with no user intervention.

MS08-001 therefore addresses the two bugs affecting three Windows TCP/IP protocols: the internet group management protocol (IGMP) and multicast listener discovery (MLD) are used to handle IP multicasting, like webcasts for example, and the internet control message protocol (ICMP), used for network connectivity and routing.

The second MS08-002 bulletin patches an elevation of privilege flaw, which typically means an attack to exploit this vulnerability needs local access in Windows 2000, XP and Server 2003. Nevertheless, this flaw is rated as 'important' because it affects the Local Security Authority Subsystem Service (LSASS) that handles authentication for the client and for the server its improper handling of local procedure call (LPC) requests.

Security firm Qualys advised that an attacker who successfully exploited this vulnerability could gain complete control over the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Amol Sarwate, Qualys' vulnerability research labs manager, said the critical update was significant because the affected protocols are often enabled for group management applications in mixed Unix and windows environments.

He said this month was 'fairly light' in comparison to other Patch Tuesdays but that both patches marked a trend towards flaws affecting multiple versions of Windows, where Microsoft has re-used the same code in different versions. "Some of these protocols are over 20 years old," he said.

Microsoft also released five non-security related, high-priority updates via Microsoft Update and Windows Server Update Services (WSUS), which downloads and installs Windows fixes and updates for other Microsoft products, including Office.

Two other non-security related, high-priority updates for Windows on Windows Update and WSUS followed, while the release of an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, WSUS and the Download Centre rounded out the first Patch Tuesday of 2008.

Email to a friend

Print this page