One of the problems affects the Microsoft Color Management Module, a component of Windows that handles colors. The other relates to the JView Profiler, part of Microsoft's Java Virtual Machine. The vulnerabilities could be used to commandeer a PC, Microsoft said.
"Attackers are already using the JView Profiler flaw to download and install Trojan horses on victims' machines," said Dan Hubbard, senior director at Websense Security Labs. The Trojan horses would let the miscreants remotely control the hijacked PCs and make it part of a network of such computers known as a botnet, an increasing cyberthreat.
The Windows vulnerabilities are described in two bulletins issued as part of Microsoft's monthly patch cycle. A third alert deals with a bug affecting Word 2000 and Word 2002. The Word flaw could allow an attacker to take control of a vulnerable PC, the software maker said.
All three bulletins get Microsoft's highest security rating, but only the Windows flaws are actively being used to attack users, Microsoft said. The company is encouraging all customers to apply its updates. Security software vendor Symantec said in a statement that the JView Profiler and Color Managament Module issued that affect Windows are "the most serious" of Microsoft's three new security bulletins.
Modes of attack
An intruder could take advantage of the JView Profiler flaw by crafting a malicious Web page and persuading a user to visit the site, Microsoft said. The vulnerability has been publicly known since late last month, and Microsoft last week offered a fix for the problem, but did not send it out via its automatic patching services. The patch will now go out on Automatic Updates and on other services from Microsoft.
As for the Color Management Module vulnerability, people could fall victim to an attack by viewing a malicious image, said Stephen Toulouse, a security program manager at Microsoft.
"You could visit a Web page, and if you have not applied the update, malicious code could execute," Toulouse said. "You could click on a maliciously formed image attached to an e-mail, or you could just preview an image in an e-mail."
Because attackers have more than one way of enticing potential victims, Microsoft deemed the Color Management flaw critical, he noted.
Although the vulnerability was privately reported, Microsoft said, it is already being used in attempts to attack users.
"We have not seen a public posting detailing how to exploit the vulnerability," Toulouse said. "However we have been made aware that there are people attempting to exploit it."
Neel Mehta, a team lead at Internet Security Systems, said he expects a public exploit for the image problem within the week. "It is being analyzed by the underground. Exploitation of this issue will likely be widespread when a public exploit appears," he said.
The JView Profiler and the Color Management flaw affect all current Windows and Windows Server operating systems, including Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1, the most recent versions that Microsoft has promoted as its most secure releases ever.