Microsoft published two patches on Tuesday to fix four flaws in its Windows operating system, closing holes in the core library that handles extensible markup language (XML) and in the code that handles internal-network data.
The most serious of the three flaws in the company's XML Core Services library was rated Critical for Windows XP Service Pack 2 and 3 and for Windows Vista Service Pack 1. The vulnerability could allow an attacker to use a specially-crafted XML file to run code on a victim's system, Microsoft stated in its advisory. The two other issues in the company's XML Core Services library were considered a lower severity.
While the company rated the patch for its XML Core Services as the most critical of the two updates, other security experts believed the flaw in the Server Message Block (SMB) protocol, which the company rated as Important, was equal in severity. Eric Schultze, chief technology officer of Shavlik Technologies, said the SMB vulnerability was more interesting and, in fact, had been discovered nearly seven years ago. The flaw allows an attacker to access other computers on the network, if the file- or printer-sharing features are enabled.
"I used to demonstrate this attack in classroom training events around the country," Schultze said in a statement sent to SecurityFocus. "It was very eye opening for people to see a very easy to use exploit that could result in accessing anyone's computer on their network."
The good news, Schultze said, is that the default configuration on Windows XP Service Pack 2 and later would prevent the attack.
In a blog entry posted on Wednesday, Microsoft stressed that, in 2001, the problem could not have been fixed, but through a series of changes, the company is now able to shutter the security hole.
"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," Christopher Budd, program manager for the Microsoft Security Response Center, stated in the post. "And to be clear, the impact would have been to render many -- or nearly all -- customers network-based applications then inoperable."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos