Must Read: Mint 15: Today's best Linux desktop (Review)

Topic: Windows

Critical Microsoft Agent flaw hits Windows 2000

Summary: The most serious vulnerability covered in Microsoft's September patch batch is a remote code execution issue in the way Microsoft Agent handles certain specially crafted URLs.

Ryan Naraine

By for Zero Day |

Critical Microsoft Agent flaw hits Windows 2000It's a relatively light Patch Tuesday in Microsoft-land.

As expected, the software giant dropped four security bulletins (one was withdrawn at the last minute) with fixes for potentially serious holes in Windows, Visual Studio, Windows Services for UNIX, MSN Messenger and Windows Live Messenger.

The most serious vulnerability covered in this batch is a remote code execution issue in the way Microsoft Agent handles certain specially crafted URLs.

The bulletin (MS07-051) affects only Windows 2000. Because that version of the operating system is out of mainstream support, Microsoft only offers free patches for Windows 2000 SP4 (Service Pack 4).

Microsoft rates this as "critical" and warns:

The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The company is also urging Windows users to pay special attention to MS07-054, and "important" bulletin that includes patches for a code execution hole affecting MSN Messenger and Windows Live Messenger.

The flaw, which has already been publicly documented, could allow PC takeover attacks when a user accepts a webcam or video chat invitation from an attacker.

This update applies to MSN Messenger and Windows Live Messenger running on all versions of Windows (including Vista). Microsoft users running MSN Messenger 7.0.0820 or Windows Live Messenger 8.1 are not affected by this vulnerability.

[SEE: MSN Messenger vulnerable to ‘highly critical’ webcam flaw ]

A third remote code execution issue in Crystal Reports for Visual Studio is also addressed by the September patch batch. This update (MS07-052), rated "important," could allow arbitrary code injection attacks if a user is tricked into opening a booby-trapped RPT file. An attacker could exploit the vulnerability by sending an affected user a malformed RPT file as an e-mail attachment, or hosting the file on a malicious or compromised Web site.

The fourth update (MS07-053) applies to Windows Services for UNIX. This bulletin affects all versions of Windows (including Vista) and could allow an attacker to gain elevation of privilege.

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion

  • Correction re: "mainstream support"

    "Because that version of the operating system is out of mainstream support, Microsoft only offers free patches for Windows 2000 SP4 (Service Pack 4)."

    Whether an OS is out of mainstream support is irrelevant in this case -- XP is still in mainstream support but its free patches are only available for the latest service pack, just like 2000. It's based on how long that service pack had been available: in XP's case SP1 went out of support 24 months after SP2 was available; I believe it was something similar for 2000.
    PB_z
    Reply Vote

  • Is it really a W2K + Internet Explorer problem?

    "remote code execution issue in the way Microsoft Agent handles certain specially crafted URLs"

    Since the only part of the operating system that "handles" specially crafted URLs is Internet Explorer, could it be that users of non-IE browsers are not at risk? I'd be curious to know.
    WiredGuy
    Reply Vote

    • In the workaround info, MS suggests turning off ActiveX

      After I had a chance to read through Microsoft's documentation, it appears that you would have to visit a web site in IE or Outlook that would then transfer and execute an Active-X control which could do bad things.
      If you turn off auto-launching of Active-X controls or if you don't use IE, Outlook or Outlook Express, you're probably safe.
      WiredGuy
      Reply Vote

  • RE: Critical Microsoft Agent flaw hits Windows 2000

    Here comes the next, latest round of 'Anything before Vista is full of bugs' laments to get folks off of older OSes and onto Vista.

    Just like always, prior Microsoft warez is 'bullet-proof' until a newer Microsoft warez is released.
    nomorems
    Reply Vote

    • Yes, and who knows better than Microsoft?

      How to create bugs that will effect older Windows versions?

      Naaaaah, they wouldn't do that, would they? Honest folks wouldn't stoop to such dirty tactics, y'think?
      Ole Man
      Reply Vote

      • You're a nut.

        Log off and take your medicine.
        rtk
        Reply Vote

  • RE: Critical Microsoft Agent flaw hits Windows 2000

    its hard to believe that people are still using that Dinosaur. Its one big hole!!


    http://www.astawerks.net
    astawerksdotcom
    Reply Vote

    • It's the last Microsoft system made

      That isn't riddled with Microsoft created and sponsered malware (activation, validation (WGA), reactivation, and DRM.

      I'd sooner take my chances with hackers than with Microsoft. A hacker has to figure out how to hack a system, but Microsoft already knows. they created it, didn't they?
      Ole Man
      Reply Vote

    • I'm using Windows 2000... but I'm clippy-free.

      But so far as I know, I'm not vulnerable to this hole.

      Why?

      Because I don't use any Microsoft applications to view untrusted content.

      And so far as I know I don't even use anything that uses Microsoft Agent in any
      form. As near as I can tell, they're talking about *clippy* and his annoying friends.
      Does ANYONE use that other than Office?
      Resuna
      Reply Vote

      • Web pages can use it

        Agent is available as an ActiveX control and available for web pages to use. Unless you've either set the killbit for the control or followed one of the workaround steps in the security bulletin.
        PB_z
        Reply Vote

  • Amusing

    I find it amusing that the patch is to be deployed using the MSN Messenger/Live Messenger Service as the download path, the same path followed by the actual vulnerability.lol
    Louis.Ross@...
    Reply Vote

  • Yawn

    Shocking! Good thing I am stil using Windows 98!
    Snarfiorix
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close