Microsoft issues Jan security bulletin
Posted on 15 Jan 2004 at 11:57
Microsoft has published its security bulletin for January with patches for three flaws, although it has yet to address the site-spoofing hole.
The most serious of the three concerns its Internet Security and Acceleration Server 2000, and Small Business Server 2000 and 2003 (which contains the 2000 version).
The patch fixes a buffer-overflow vulnerability in the filter that handles data sent on the H232 standard: a real-time multimedia communications protocol that is also used in Voice-over-IP devices.
If successfully exploited, an attacker would be able to run with the same security privileges as the firewall. The patch is at Microsoft's security site.
The second of the three affects Microsoft Data Access Components (MDAC) found in Windows 2000, XP, Server 2003 and SQL Server. Again it's a buffer overflow vulnerability that can occur when a client computer scans for available SQL servers. An attacker could create a data packet that is sent in reply to the scan and after successfully exploiting the flaw, could run code on the target system with the same privileges as that program that made the scan.
Microsoft has rated it as important because of a number of mitigating factors, including the fact the malicious packet sent in response would have to dupe the target system that it was within the network. The patch is available Microsoft's update site.
The final fix affects Exchange Server 2003. The flaw concerns Exchange 2003 front-end servers running Outlook Web Access, where one user might find themselves connected to another user's account if that account had been recently accessed. However, their is no way of determining which account would be accessed.
Microsoft rates the vulnerability as moderate and has provided a patch at its security site.
Microsoft has not, as yet, fixed a flaw identified in December, that allows a URL to be displayed in the address field of IE different to the Web page displayed. This makes it easy for ill-intended types to create a 'bank-spoofing' page asking users to enter sensitive information.
See also:
Author: Matt Whipp
advertisement
- How to change the default template in Word 2007
- Book review: Rework by Jason Fried and David Heinemeier Hansson
- Panorama parents deserve their file-sharing fine
- Google and BT offer free website service to British businesses
- Lords' last chance to protect broadband customers
- Extreme handwriting recognition on the Dell Latitude XT2
- 12 surprising things that Wolfram Alpha knows
- Nokia N900: phone or pocket computer?
- The sinister side of Spotify
- My brain can type!
- Avira Premium Security Suite 9
- ZoneAlarm Internet Security Suite
- Webroot Internet Security Essentials
- Trend Micro Internet Security
- PC Tools Internet Security 2009
- Panda Internet Security 2009
- Norton Internet Security 2009
- Kaspersky Internet Security 2009
- F-Secure Internet Security 2009
- Eset Smart Security
- Delving into the Norton 2010 line-up
- How to commit Facebook suicide
- Microsoft must stop silently installing browser plugins
- Poking into Facebook security
- Has Microsoft shot itself in the foot with Security Essentials?
- Wi-Fi hacking: don't panic yet
- Gary McKinnon deserves prosecution not extradition
- Sex and online security: how much danger are we really in?
- Security without penalty
- The spam is out, but the viruses are in
advertisement
Printed from www.pcpro.co.uk