Microsoft kicked off the new year by fixing three vulnerabilities on its first regularly scheduled patch day.
The most serious flaw affects the way that Windows systems handle storing the data associated with Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) network requests. The vulnerability affects both Windows Vista and Windows XP Service Pack 2 and is rated Critical by Microsoft for those operating systems. An attacker could take control of a user's machine by sending it a specially-crafted IGMP or MLD request, Microsoft stated in its bulletin.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system, ... (and) could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft stated.
The company also fixed a problem in the way that Windows handles Internet Control Message Protocol (ICMP) requests, which could be exploited in a denial-of-service attack. Because the vulnerable component is not active by default, the software giant rated the flaw as Moderate, its third highest rating of severity for software flaws. The third vulnerability -- in Microsoft Windows' Local Security Authority Subsystem Service (LSASS) service -- could allow an attacker the ability to gain complete access to a system, if the person already has valid log-on credentials.
In 2007, Microsoft issued a total of 69 bulletins. On Tuesday, the software giant had not yet updated its Security Vulnerability Research & Defense blog, which it launched last month, with technical details of the flaws.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos