Microsoft has released patches for two security holes in its Internet software that could allow hackers to read files off a user's computer or information in Web pages that they visit. The company also patched server glitches that could let attackers crash Web servers or take over computer networks attached to Microsoft Web servers. Three of the four alerts were classified by Microsoft as 'critical'.
The new warnings come as Microsoft continues to strongly publicise its efforts to make its software more secure. Microsoft is promoting its .Net strategy for making its software as central to Internet-based services as it is on the desktop, but many have doubts about whether Microsoft products are secure enough to do the job.
The security glitches have been discovered in the Internet Explorer Web browser, Microsoft's XML Core Services 2.6 and later, Microsoft SQL Server and Microsoft Commerce Server 2000. They are repaired by several separate new patches, which Microsoft recommends affected users to install immediately.
XML Core Services is shipped with all copies of Windows XP, the new version of Microsoft's dominant PC operating system.
The Internet Explorer VBScript bug
In Internet Explorer, a flaw exists in the way VBScripts -- pieces of code that can be embedded into Web pages -- in one browser frame can access the content of other browser frames. An attacker could create a Web page or HTML email that would let him either read files from the user's local drive, or read information from pages subsequently visited by the user. The second scenario could mean, for example, that the attacker could read credit card numbers and passwords typed by the user into third-party Web sites. The attacker could only read local files that can be displayed in a browser, such as text or HTML files, and would have to know the exact path to the file in order to read it. However, system files in Windows are often stored in default locations. The vulnerability arises because of a problem with the way IE handles security for VBScripts attempting to read data from another browser frame that originates from a different domain. Scripts normally shouldn't be allowed to do this, but the flaw allows them to do so. The bug affects IE versions 5.01 SP2, 5.5 SP1, 5.5 SP2 and 6.0. The IE patch is here, and is also available through Windows Update. The XML Core Services bug
XML Core Services 2.6 and later -- shipped with Internet Explorer 6.0, SQL Server 2000 and all copies of Windows XP -- contains a similar bug that could let a hacker read data from the user's computer. The flaw occurs in an ActiveX control called XMLHTTP, which allows Web pages in the browser to send and receive XML data via HTTP, the standard Web transfer protocol. XML is an Internet language for describing just about any sort of data. XMLHTTP doesn't properly check the security settings for some types of data requests in a Web page, allowing them, if properly disguised, to request data from the user's hard drive. An attacker could fashion a Web page to secretly read files from the user's computer, but would first have to cause the user to visit the page. The attack couldn't be carried out in an HTML email. As with the IE bug, the attacker would have to know the full path name to the file he or she wanted to read. The patch is available here, or through Windows Update. Commerce Server open to attacks
The Commerce Server 2000 glitch is different, allowing attackers to launch what's known as a Denial of Service (DoS) attack, crashing the server, or to run the code of his choice on the server. Commerce Server is based on Microsoft's Internet Information Services server, but IIS itself isn't vulnerable. The fault occurs with a default Commerce Server file called AuthFilter, which handles some authentication procedures. An attacker could send authentication data that overran an unchecked buffer in AuthFilter, causing the AuthFilter process to fail or causing it to run code of the attacker's choice. The process in question runs with advanced privileges, which would give the attacker complete control of the server. In some cases the attacker could extend his control of the compromised server onto other computers on the network, depending on the security access given to the Commerce Server, according to Microsoft. A patch for the bug is available here, and will be included with Commerce Server 2000 Service Pack 3, Microsoft said. SQL Server denial-of-service risk
Finally, SQL Server includes a similar unchecked buffer glitch that leaves it open to DoS attacks. SQL Server 7.0 and 2000 include an unchecked buffer in a function designed to let the server create an "ad hoc" connection to remote data sources. A hacker could create a buffer overflow by sending a specially formed database query through a Web site, or by attempting to load and execute a query. The buffer overflow would crash the server, or give the attacker the ability to run code with the same system privileges as the server. The exploit wouldn't always be available, however, depending on the way the server is configured. The patch for SQL Server 2000 is here, and the patch for SQL Server 7.0 is here. The security alerts were all released late last week.