More safety cracks found after Windows checked

14 Apr 2004

Microsoft has issued several critical security alerts following the discovery of multiple vulnerabilities in its software. The announcements were made as part of Microsoft’s monthly Security Bulletin cycle of issuing software fixes.

These patches cover as many as 20 Windows-based flaws that could leave unprotected systems at risk from internet worms or viruses.

The US firm eEye, which has been particularly vigilant at spotting flaws in Microsoft software, revealed six new vulnerabilities, found in Windows Remote Procedure Call (RPC), Local Security Authority Subsystem Service (LSASS) and in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. Four of these are extremely critical because they allow code to be executed remotely on unpatched computers.

All current versions of Microsoft Windows and Windows Server 2003 are affected. The vulnerabilities identified by eEye could potentially allow an attacker to take complete control of an affected PC. An attacker could then take any action on the system, such as installing programs, viewing, changing or deleting data or creating new accounts with full privileges.

Other organisations to have found flaws, all credited on Microsoft’s website, include Core Security Technologies, Internet Security Systems, iDefense, NSFOCUS and Qualys. Other applications affected by the latest swathe of vulnerabilities include Outlook Express and Jet Database Engine.

Those with vulnerable systems have been advised to implement the patches immediately. More detailed information, along with the security updates, is available from the Microsoft website.

By Gordon Smith