FRAMINGHAM (10/15/2003) - Microsoft Corp. Wednesday issued its first monthly security update since announcing the new initiative last week.
The update consists of five Windows vulnerabilities, four of which the company deemed "critical."
Three of the flaws affect all recent Microsoft operating systems, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. The fourth critical flaw affects only Windows 2000.
According to security bulletin MS03-041, there is a vulnerability in Authenticode that, under certain low-memory conditions, could allow an ActiveX control to download and install without asking the user for approval to do so. An attacker could host a malicious Web site designed to exploit this vulnerability, Microsoft said.
According to security bulletin MS03-042, a vulnerability exists in the Microsoft Local Troubleshooter ActiveX control (Tshoot.ocx), which could allow a buffer overflow that would let an attacker run malicious code on a user's system.
According to security bulletin MS03-043, a flaw in the operating system's Messenger Service could allow arbitrary code to be executed on an affected system. The vulnerability results because the Messenger Service doesn't properly validate the length of a message before passing it on to the allocated buffer.
According to security bulletin MS03-044, a flaw exists in the Help and Support Center function that ships with Windows XP and Windows Server 2003. The vulnerability can arise when a file associated with the Human Communications Protocol contains an unchecked buffer.
An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, could execute malicious code.
The fifth vulnerability, which was listed by Microsoft in Security Bulletin MS03-045 as "important," affects Windows NT, Windows 2000, Windows XP and Windows Server 2003 and could give an attacker "complete control over the system by using Utility Manager in Windows 2000."