Microsoft Races To Fix More FlawsMicrosoft Races To Fix More Flaws

Microsoft has released a patch for multiple vulnerabilities in its Internet Explorer Web browser--among them two it rated as "critical"--adding to the summer's frenzy of fixing flaws in its operating system and applications.

But that was only the beginning. At the same time, Microsoft also issued two additional bulletins that noted critical vulnerabilities in the database connectivity component of Windows and within DirectX, the multimedia APIs used by Windows to run graphics, video, audio, and 3D applications.

The continued wave of Microsoft's vulnerabilities is disappointing, said Michael Cherry, a senior analyst at Directions on Microsoft, and challenges the company's attempt to convince users that it's making progress on its Trustworthy Computing imitative, a companywide effort to tighten security in its products.

"Expectations were that the rate of security incidents would have fallen by now, since Microsoft made such a point about how much it spent on reviewing the Windows code," he said.

Last year, as part of Trustworthy Computing, Microsoft took time off development to review the code of its operating systems, applications, and tools in a search for security holes.

The critical vulnerabilities in Internet Explorer affect versions 5.01, 5.5, and 6.0; Microsoft said they could result in an attacker running malicious code on the system if the user browses to a specially crafted Web site or opens a link to such a site contained in an E-mail message.

Internet Explorer 6.0 on Windows Server 2003, Microsoft's newest server software, is also vulnerable, although the company rated the flaw as only "moderate" due to the default configuration of the server software, which prevents such attacks.

The first of the critical holes in Internet Explorer can result in a buffer overrun in an ActiveX control within the now-obsolete Windows Reporting Tool. The patch sets the Kill Bit on the BR549.DLL ActiveX control, disabling the ActiveX component and preventing it from being re-installed.

The second critical vulnerability stems from Internet Explorer's mishandling of object tags in HTML pages. When the browser encounters an object tag and then calls for a file from a Web server, it doesn't properly check that the file received is the correct type. An attackers could take advantage of the flaw by hosting a specially-made Web site, getting users to visit it, then forcing Internet Explorer to execute a file of his or her own choosing. That could give the intruder full access to the machine, or allow the intruder to take any action--including deleting files--that's available to the real user.

Microsoft issued patches for the Internet Explorer vulnerabilities on its TechNet Web site; as usual, the patches can also be downloaded using WindowsUpdate.

Included in the patch is another fix--this one for a vulnerability tagged "important" by Microsoft--that corrects a flaw in the way the browser checks the originating domain when looking for local files in the browser cache. An attacker could load malicious script code onto a system by compromising the security Internet Explorer's My Computer zone. Again, by enticing users to a Web site, the attacker might be able to load such code to execute on the machine, or run a file already on the PC.

In two separate bulletins, both follow-ups to earlier warnings, Microsoft noted vulnerabilities within the MDAC component of Windows and inside virtually all versions of DirectX. MDAC, which stands for Microsoft Data Access Components, is used by the operating system to provide database connectivity.

This vulnerability has to be particularly embarrassing to Microsoft, for it was originally released in July 2002. At that time, however, Microsoft believed it stemmed from a command specific to SQL Server. Now it says the flaw is actually within the underlying MDAC component OCBC, which is present in all versions of Windows.

Microsoft also admitted that the original patch didn't install correctly on some systems because of an error in the way Windows Installer updated the System File Protection cache.

The company rated this flaw as "critical," its highest threat level. Fixes can be found on the TechNet site or obtained by using WindowsUpdate.

"This is a really bad one," Cherry said. "Microsoft says they're going to turn on AutoUpdates, and make it mandatory to download and install patches. But this is a poster child for why that's a bad idea."

DirectX should also be patched immediately or upgraded, said Microsoft. A flaw in versions of DirectX going back as far as 5.2 could permit an attacker to run programs on a machine compromised by a malicious MIDI audio file hosted on a Web site or posted to a network share. Virtually all editions of DirectX are at risk. Wednesday's alert is a follow-on to one originally posted July 23, but has been updated to include DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b, which it now says is also vulnerable.

Users can obtain the DirectX patch from the TechNet Web site; concurrently, Microsoft released DirectX 9.0b, an update that includes the security fix that can be installed on all supported versions of Windows except for Windows NT 4.0.

Cherry pointed to the DirectX flaw as a good example of what Microsoft should have uncovered much earlier.

"We're still seeing problems that we would have hoped the code review would have caught," he said. "I'm surprised that the code review didn't catch that."

Even so, Cherry gave Microsoft a passing grade. "They still have a ways to go," he said, "but it's so much better than it was a year ago."