There are three Windows vulnerabilities addressed by three new security bulletins. Two of them are rated critical and one is rated important.
Details
Leading off the year, Microsoft Security Bulletin MS05-001, "Vulnerability in HTML Help Could Allow Code Execution", includes fixes for a remote code execution vulnerability found in most versions of Windows (and all service packs) when running Internet Explorer 6. That even includes Windows XP with Service Pack 2.
The source of the problem is the HTML Help Active X control (hhctrl.ocx), which can permit cross-domain information exchanges through an attack launched by visiting a specially crafted malicious Web site. There are reports of the vulnerability being actively exploited in the real world, so this is a very serious threat.
Patching this threat causes various well-known problems, which are documented in Microsoft Knowledge Base Article 890175.
MS05-002, "Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution", is a replacement for MS03-045 and does not affect XP SP2 systems.
This bulletin covers two threats and you can find more about one threat, "Cursor and Icon Format Handling Vulnerability," in BUGTRAQ and CVE CAN-2004-1049. The other threat is a "Windows Kernel Vulnerability".
Microsoft Security Bulletin MS05-003, "Vulnerability in the Indexing Service Could Allow Remote Code Execution", does not affect XP SP2 or some older operating systems. It is a remote code execution threat. This is a newly discovered vulnerability, which was privately reported to Microsoft; no exploits were known to be circulating at the time the bulletin was released.
Applicability MS05-002 affects most Windows versions with the exception of XP SP2. The vulnerability in MS05-003 only affects XP versions prior to the installation of Service Pack 2, Windows 2000 through SP4, and Windows Server 2003. It does not affect XP SP2, Windows 98, Me, NT 4 Servers with SP6, or Windows 2000, although Microsoft does recommend installing the update for Windows 2000 anyway because it contains other important security upgrades.
Risk level - Critical Exploiting the Active X threat described in MS05-001 could allow an attacker to capture confidential information or completely take over a system by running random programs on vulnerable computers. This is a critical-rated threat for all affected systems except Windows Server 2003, for which Microsoft only rates this as a moderate threat. MS05-002 addresses two threats. One, the cursor and icon handling vulnerability, is rated critical for all affected systems because it can allow remote code execution. The other, the Windows kernel vulnerability, is only rated important for all affected systems, but it can trigger a denial of service event that would require a reboot to fix. The indexing service vulnerability covered in MS05-003 is only rated important for XP, XP SP1, and Windows Server 2003 because, although it can result in remote code execution and complete system compromise, Microsoft reports that it is far more likely to simply trigger a denial of service event.
Mitigating factors Both of the vulnerabilities covered in MS05-002 are less of a threat via an email attack if you are running IE 6 and have installed the update from MS03-040, or other cumulative updates, and run Outlook versions in their default configuration. The indexing services covered by MS05-003 are not enabled by default and even when it is installed it is not normally accessible via the Internet.
Fix The impact of MS05-001 can also be addressed by increasing "Local" security settings to "High," causing users to be prompted for permission to run Active X controls. Avoiding random surfing and confining Web contacts only to trusted sites will eliminate the threat where that is practical and opening emails only in plain text will prevent attacks initiated via that channel. You can also disable the Active X Help system but this requires editing the Windows Registry, which can be dangerous. A workaround for both of the vulnerabilities in MS05-002 is to open emails only in plain text, so animated cursors and other HTML code are not activated. Workarounds for the threat described in MS05-003 include proper firewall configuration.
Final word Reading the first of these notices probably seems like deja-vu all over again but this really is a new threat, only now being addressed even though it's far from the first Help system threat.
The threat of MS05-001 is reduced in newer versions of Windows and Outlook because they open new Web site pages in a restricted zone.
Applying the patches is, of course, the best fix.
Talkback
I wonder if installing and only using FireFox for Internet browsing (with the exception of Windows Update thanks to Microsoft's fine web developers) would also help a lot as far as current and future Internet Explorer security problems are concerned. Thought I mention this because I didn't see FireFox mentioned under fixes.
The only time I use IE is when I go to http://windowsupdate
.microsoft.com ... or to some MAJOR site that requires it ...
Else - use Firefox. It rocks, and it's faster than IE.
I now only use Firefox and Thunderbird. I still have IE6 and Outlook Express on my machine but no active.
Does this mean Auto Update will not work? I am almost certain I have received updates from MS since I was 'converted' to the Mozilla programs.