Printed from www.pcpro.co.uk
Microsoft issues Jan security bulletin
Posted on 15 Jan 2004 at 11:57
Microsoft has published its security bulletin for January with patches for three flaws, although it has yet to address the site-spoofing hole.
The most serious of the three concerns its Internet Security and Acceleration Server 2000, and Small Business Server 2000 and 2003 (which contains the 2000 version).
The patch fixes a buffer-overflow vulnerability in the filter that handles data sent on the H232 standard: a real-time multimedia communications protocol that is also used in Voice-over-IP devices.
If successfully exploited, an attacker would be able to run with the same security privileges as the firewall. The patch is at Microsoft's security site.
The second of the three affects Microsoft Data Access Components (MDAC) found in Windows 2000, XP, Server 2003 and SQL Server. Again it's a buffer overflow vulnerability that can occur when a client computer scans for available SQL servers. An attacker could create a data packet that is sent in reply to the scan and after successfully exploiting the flaw, could run code on the target system with the same privileges as that program that made the scan.
Microsoft has rated it as important because of a number of mitigating factors, including the fact the malicious packet sent in response would have to dupe the target system that it was within the network. The patch is available Microsoft's update site.
The final fix affects Exchange Server 2003. The flaw concerns Exchange 2003 front-end servers running Outlook Web Access, where one user might find themselves connected to another user's account if that account had been recently accessed. However, their is no way of determining which account would be accessed.
Microsoft rates the vulnerability as moderate and has provided a patch at its security site.
Microsoft has not, as yet, fixed a flaw identified in December, that allows a URL to be displayed in the address field of IE different to the Web page displayed. This makes it easy for ill-intended types to create a 'bank-spoofing' page asking users to enter sensitive information.
See also:
Author: Matt Whipp
advertisement
- Need a bit of extra Christmas cash? Grass up your boss, says BSA
- Photoshop Mobile on Android review: first look
- ATI Radeon HD 5970: 42% more expensive in the UK
- Office 2010 Beta – 32-bit or 64-bit – The Choice is Clear
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Avira Premium Security Suite 9
- ZoneAlarm Internet Security Suite
- Webroot Internet Security Essentials
- Trend Micro Internet Security
- PC Tools Internet Security 2009
- Panda Internet Security 2009
- Norton Internet Security 2009
- Kaspersky Internet Security 2009
- F-Secure Internet Security 2009
- Eset Smart Security
- BitDefender Total Security 2009
advertisement
