Microsoft Issues Patches for 15 Flaws
Microsoft released six updates to address various issues across its products on Tuesday, including four which were rated critical, and three that affected Windows Vista.
The first is an important fix that addresses two issues within Microsoft's Visio product. The first is a remote code execution vulnerability in how the product handles a specially-crafted version number within a Visio file. The other revolves around an issue in how Visio handles parsing of packed objects.
In either case, a user would have to open an attachment from an e-mail or visit a specially crafted website, the advisory states.
Next comes a critical fix for issues within the Schannel security package which enables the SSL and TLS authentication protocols. Microsoft says that Windows 2000, XP and Server 2003 all have issues with how the OS validates server-sent digital signatures.
Vista is the target of a flaw rated "moderate," that could lead to information disclosure. According to the Microsoft advisory, non-privileged users could access local user information including administrative passwords which could then be used to gain complete access to the system.
Microsoft's new operating system is also vulnerable to critical flaws within Internet Explorer that has been issued as a cumulative security update. Altogether seven issues are addressed here, including COM object instantiation, CSS Tag, speech control, and uninitialized memory corruption flaws, plus language pack installation and navigation cancel page spoofing issues.
The issue would also affect Windows 2000, Windows XP, and Windows Server 2003.
The same operating systems are also vulnerable to issues with Outlook Express, which are addressed in a separate critical patch. Three separate information disclosure issues and a remote code execution vulnerability have been remedied.
Finally, a flaw in the Win32 API that puts users of Windows 2000, XP, and Server 2003 at issue for a code execution risk was fixed. A specially designed webpage can take advantage of this issue, Microsoft said in the advisory.