Even-though there were 9 flaws in discussion, in the end 14 were fixed including a security flaw that could have been exploited by a dangerous worm.
The first 9 flaws needed user interaction to be exploited but the others were rated “critical” and could have allowed a remote attack. One of them was in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC. “It is a remote system vulnerability that could very easily be turned into a worm,” said Marc Maiffret, the chief hacking officer at security specialist eEye Digital Security. “It is very similar to the vulnerability two months ago that resulted in the Zotob worm.” The MSDTC buffer overflow flaw affects systems under Windows 2000 but can be exploited on XP with Service Pack 1 or Windows Server 2003.
“Among the critical updates, customers who run older versions of the operating system such as Windows 2000 should prioritize MS05-051 for deployment on those systems,” said Stephen Toulouse, a program manager in Microsoft’s Security Response Center.
Other three critical flaws were also fixed but these carry varying risk ratings, depending on the operating system. One, labeled “critical”, is a flaw in a Windows component that handles resource management tasks, called COM+. This security hole is also found in Windows 2000 and Windows XP SP1.
People who run older versions of the operating system are more at risk from the MSTDC and COM+ vulnerabilities, Toulouse said. That goes for the rest of the rest of the 14 flaws tackled by the patches issued Tuesday.
“In general, many of these bulletins have a lower impact in terms of severity and are much more difficult to exploit on newer operating systems such as Windows XP SP2 and Windows Server 2003 SP1,” Toulouse said.
Microsoft has labeled two other security alerts as critical. One patch fixes a problem in software for streaming media in Windows, called DirectShow. The other repairs problems in Internet Explorer similar to those patched in July and August.
Another “important” update was to repair a problem related to plug-and-play in Windows 2000 and Windows XP.
Also fixed, were three other vulnerabilities in how Windows deals with certain files and characters, and other which involves a software component that supports Novell NetWare networks.
The last two alerts were with a “moderate” label. One fixes an issue with the Network Connection Manager in the 2000, XP and Server 2003 versions of Windows that could cause a system to crash and other fixes a flaw in the Windows FTP client that could allow an attacker to change the location of a file transfer by hosting a malformed file on an FTP server.
Every Windows user is advised to apply these updates if they haven’t done it by now.