August 10, 2005, 9:52 AM — Microsoft Corp. has released patches for six flaws in Windows and Internet Explorer, some of which could allow an attacker to gain control of a computer system. The patches, which include a fix for a newly discovered flaw in Microsoft's Plug-and-Play software, were released Tuesday and comprise Microsoft's regular patch releases for August.
Three of the six vulnerabilities have been rated as "critical" by Microsoft, meaning that they could theoretically be taken advantage of to gain control of a computer without any action by the user. These three critical bugs concern the Windows Plug-and-Play system and Print Spooler software, as well as Internet Explorer's (IE's) image rendering software, the company said in a statement.
The other three patches cover less serious problems in the Windows Telephony Service, Remote Desktop Protocol and in the Windows implementation of the Kerberos authentication protocol.
Microsoft credits security vendor Internet Security Systems Inc. (ISS) with discovering the Plug-and-Play vulnerability, which was publicly disclosed Tuesday. Plug-and-Play is the standard technology that Windows uses to automatically configure peripheral devices.
No exploits for the flaw have yet been made public and it is of serious concern only to Windows 2000 users, said Neel Mehta, team leader of ISS's X-Force research team. But because attackers can easily take advantage of this bug to seize control of a Windows 2000 system, Mehta believes it will soon be exploited.
Windows XP users could technically be vulnerable to the Plug-and-Play bug as well, but they would have to alter their Windows Registry file for this to happen, Mehta said. "I think it would be very unlikely if you were in XP to be vulnerable."
Though more difficult for hackers to exploit, the Print Spooler vulnerability does affect Windows XP users and should also be considered critical, Mehta said. "I do expect to see exploits for Plug-and-Play and Print Spooler in about a week," he said. "We haven't seen issues this heavily exploitable in a while, so they will be heavily targeted by hackers."
The Internet Explorer patch concerns the way Microsoft's browser renders JPEG images, and it fixes the latest in a series of vulnerabilities related to the browser's image-rendering capabilities.
First disclosed on July 15, the vulnerability could be used to take over a user's computer via malicious Web pages, e-mail, or instant messaging, according to a statement released Tuesday by Symantec Corp. While there are no known attacks for the JPEG flaw, there are proof-of-concept JPEG images that can crash IE, the statement said.
Microsoft's notes on the August patches can be found here: http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx