Microsoft issues Jan security bulletin
By Matt Whipp
Posted on 15 Jan 2004 at 11:57
Microsoft has published its security bulletin for January with patches for three flaws, although it has yet to address the site-spoofing hole.
The most serious of the three concerns its Internet Security and Acceleration Server 2000, and Small Business Server 2000 and 2003 (which contains the 2000 version).
The patch fixes a buffer-overflow vulnerability in the filter that handles data sent on the H232 standard: a real-time multimedia communications protocol that is also used in Voice-over-IP devices.
If successfully exploited, an attacker would be able to run with the same security privileges as the firewall. The patch is at Microsoft's security site.
The second of the three affects Microsoft Data Access Components (MDAC) found in Windows 2000, XP, Server 2003 and SQL Server. Again it's a buffer overflow vulnerability that can occur when a client computer scans for available SQL servers. An attacker could create a data packet that is sent in reply to the scan and after successfully exploiting the flaw, could run code on the target system with the same privileges as that program that made the scan.
Microsoft has rated it as important because of a number of mitigating factors, including the fact the malicious packet sent in response would have to dupe the target system that it was within the network. The patch is available Microsoft's update site.
The final fix affects Exchange Server 2003. The flaw concerns Exchange 2003 front-end servers running Outlook Web Access, where one user might find themselves connected to another user's account if that account had been recently accessed. However, their is no way of determining which account would be accessed.
Microsoft rates the vulnerability as moderate and has provided a patch at its security site.
Microsoft has not, as yet, fixed a flaw identified in December, that allows a URL to be displayed in the address field of IE different to the Web page displayed. This makes it easy for ill-intended types to create a 'bank-spoofing' page asking users to enter sensitive information.
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software