Microsoft Corp. released three software patches rated "critical" late last week. The patches plug holes in Internet Explorer, Windows XP, SQL Server 2000 and Commerce Server 2000.
Two of the patches aim to fix information disclosure flaws in Microsoft's Web browser Internet Explorer (IE).
The first flaw exists in IE versions 5.01, 5.5 and 6.0. Through it, malicious Web site operators can read files on users' computers and tap information entered into the Web browser such as usernames, passwords and credit card details, Microsoft said in security bulletin MS02-009. (http://www.microsoft.com/technet/security/bulletin/MS02-009.asp)The problem lies in the way IE handles scripting across domains within frames, Microsoft said. The flaw allows VBScript, Microsoft's script language, running in one domain -- the domain of the attacker -- to read data in a frame belonging to another domain, which could be the user's local PC or an online shop.
To be exposed to this VBScript handling flaw, a user would have to go to a Web site that is under the attacker's control or open an HTML (Hypertext Markup Language) e-mail from the attacker, Microsoft said. The patch fixes the vulnerability by instituting domain verification handling for VBScript.
The second information disclosure flaw also requires a user to visit an attacker's Web site and would allow the attacker to read files on users' systems, Microsoft said in security bulletin MS02-008. (http://www.microsoft.com/technet/security/bulletin/MS02-008.asp) This flaw requires patching of Internet Explorer 6.0, the operating system Windows XP and database server SQL Server 2000, as these applications all contain the flawed code.
This vulnerability, dubbed the XMLHTTP bug by security experts because it appears in the XMLHTTP ActiveX control, has been waiting for a plug since it was published on Dec. 15 last year.
The ActiveX control is part of Microsoft's XML Core Services software. Flawed versions of the control ship as part of Windows XP, IE 6.0 and SQL Server 2000. They do not respect the security zone settings in IE, allowing a Web page to specify a file on a user's computer as an XML (Extensible Markup Language) data source as a means of reading the file, Microsoft said. XML Core Services software is used by other applications to parse, generate , validate and transform XML documents so that the information can be displayed, stored or manipulated, Microsoft said.
The third patch Microsoft issued is to fix a buffer overrun flaw in Commerce Server 2000, software that supports electronic commerce Web sites. The flaw was discovered as part of Microsoft's internal security code review, the company said. An attacker exploiting the flaw could gain full control over the system running the software by sending a malformed request to it, Microsoft said in security bulletin MS02-010. (http://www.microsoft.com/technet/security/bulletin/MS02-010.asp)The flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default, Microsoft said. All administrators using Commerce Server 2000 are urged to patch their systems.
Installing URLscan, a software tool recommended by Microsoft, will protect Commerce Server 2000 installations from being taken over by an attacker, but the server can still be caused to fail by sending it a malformed request, Microsoft noted. Earlier versions of the software, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, the software maker said.
Thor Larholm, a Danish Internet programmer and security expert who maintains a list of security holes Microsoft has yet to patch on his Web site at http://www.jscript.dk/, said Microsoft is on the right track.
"It is nice to see that they have patched most of the holes listed on my site, but it is frightening to witness the amount of time it took and the pressure from the public that was needed," he said. "However, Microsoft's actions are a promising trend and I hope their initiative to put more focus on security will outlive the month."
Microsoft has announced it will take a break of about a month from developing new code to go back to the already written software and check that for security flaws. [See "Microsoft takes a break to clean its code," Feb. 4.] The now-patched Commerce Server 2000 flaw seems to be the first result of those efforts.
"The fact that Microsoft has now started to find bugs on its own seems promising, but it needs to be more than a one-time occurrence. Microsoft needs to rethink fundamental parts of its security processes, as it is too easy for outsiders, with no access to Microsoft's closed source, to find new security holes," Larholm said.
Notwithstanding the patches, IE remains vulnerable, according to Larholm.
"Internet Explorer remains insecure. In the next month or two we will probably have about five new vulnerabilities. I have listed three current vulnerabilities that aren't public yet, but were discovered by a software firm. Microsoft is currently investigating these holes that allow an attacker to read local files," he said.