In four TechNet security bulletins, Microsoft late Wednesday disclosed eleven vulnerabilities related to Windows and SQL Server, five of which are labeled critical. Patches have been released for each flaw, and will likely soon be available on Windows Update. The bulletins come a day after Microsoft CEO Steve Ballmer sent out a memo discussing actions the company is taking to improve software updates and customer feedback.
The first posted vulnerabilities involve decompression of ZIP files that are natively supported in Windows Me, XP and Windows 98 with Plus! Pack. A malformed filename could cause Explorer to crash or an attacker's code to be run, according to the bulletin. In addition, an attacker could place files in directories other than those specified by the user, without notification.
A more serious flaw involves the HTML Help facility in Windows, which uses an ActiveX control that contains an unchecked buffer. According to Microsoft, "An attacker who successfully exploited the vulnerability would be able to run code in the security context of the user, thereby gaining the same privileges as the user on the system."
In addition, HTML Help incorrectly runs help files delivered over the Internet within the Local Computer Zone, allowing a malicious file to perform actions on the system without a user's consent.
A cumulative patch for SQL Server was released alongside notice of four new vulnerabilities, the most serious of which could give an attacker full control over a database server. "By sending a specially malformed login request to an affected server, an attacker could either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service," the bulletin reads. SQL Server 97, 2000, and MSDE 1.0 and 2000 are affected.
The last three vulnerabilities involve Microsoft's Services for UNIX 3.0 included on the Interix SDK. A Sun Microsystems RPC library in the SDK includes two potential buffer overflows and an implementation error that could lead to a denial of service attack.
More information on Microsoft security announcements and patches can be found on Microsoft's TechNet Security Web site.