Microsoft Warns of New Security Vulnerabilities

Microsoft has warned users of three new security vulnerabilities in its products; the most serious of which is a buffer overrun in Windows.

Buffer overflows are a common method exploited by hackers, and account for a great deal of product advisories. The security bulletin, deemed critical by Microsoft, reveals that the culprit is the HTML converter embedded in all versions of Windows for the purpose of converting file formats.

According to company literature, the issue occurs when the component handles a conversion request during a cut-and-paste operation. By sending a specially crafted email or by luring a user to a rogue website, a remote attacker could potentially take complete control over a targeted system.

Microsoft points out that those customers using its latest mail clients are not at risk given that emails open into a restricted zone.

Outlook 98 and 2000 operate within the same restricted zone if patched to provide enhanced security.

“This security flaw is another reminder of the downside of rich email content and Windows' tight integration of email, browser, and OS components,” said Gordon Haff Senior Analyst and IT Advisor at Illuminata.

The remaining two bulletins are considered important, but not critical by the software giant. One issue discovered by the firm Next Generation Security Software, deals with a privilege elevation in Windows 2000’s Windows Message Handling through utility manager.

The last of these bulletins is another buffer overrun. Windows NT, 2000 Server, and XP are affected by a flaw in the Server Message Block (SMB) protocol.

A Microsoft representative was not available for comment at press time. All three flaws are listed for inclusion in future service packs.