Windows XP, Office and SQL Server open to new attacks

Microsoft late on Wednesday warned of three new bugs in its software, including a flaw in SQL Server 7.0 and 2000 that could allow an unauthorised user to execute particular administrative functions called Web tasks. The company also disclosed a flaw in Windows XP that could allow an attacker to delete files, and one in Office that could lead to information disclosure.

The SQL Server bug received Microsoft's highest rating of "critical" because it could allow a low-privileged user to execute high-privilege functions. A flaw in the way the server handles permissions could allow any user who authenticates to a server to run, delete, insert or update Web tasks created by other users. Web tasks create a task that executes database queries and uses the results to produce a Web page.

Any Web task executed could be run in the context of the user who created the Web task, Microsoft said. This would typically be the SQL Server Agent service account. However, by default this account runs with the privileges of a domain user rather than with higher-level system privileges, Microsoft said.

The company added that attackers could only exploit the bug if they were already authenticated to the server, barring most of the general public. The attacker would also be unable to create new Web tasks. More information and a patch are available on Microsoft's Web site.

David Litchfield was credited with originally reporting the bug to Microsoft, and Martin Rakhmanoff also contributed to the investigation, Microsoft said.

A second flaw affects the Windows XP version of Help and Support Center, which contains help files and access to Windows Update, among other features. A mistake in permissions could allow a malicious Web page or HTML email to call on a file within Help and Support Center, causing it to erase any file on the user's PC.

However, the attacker would have to know the exact location of the file he or she wished to delete, and would have to entice the victim to view a specially-formed Web page or HTML email. Windows XP Service Pack 1 eliminates the bug, and Internet Explorer 6.0 Service Pack 1 would prevent Help and Support Center from being launched from Outlook or Outlook Express, Microsoft said.

A patch for this flaw was posted on Microsoft's site.

The third flaw could allow a specially modified Word or Excel document to gather information from a PC that could later be retrieved from the document by an attacker. The attack uses features in Word and Excel designed to update documents from an outside source.

A flaw would allow the Word or Excel document to update itself with the contents of a file from the user's computer, without giving any indication that this had happened. But to succeed the victim would have to be convinced to receive a document, modify it and then return it to the attacker, Microsoft said. A patch was made available here.

Microsoft has been on a drive to give all its products watertight security since earlier this year. However, it continues to regularly issue new warnings, the three latest bugs bringing to 61 the total number of notifications this year.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.