Windows XP, Office and SQL Server open to new attacks

More Microsoft security mayhem
Written by ZDNet Staff, Contributor

More Microsoft security mayhem

Microsoft has warned of three new bugs in its software, the most serious of which could allow a malicious hacker to change documents held on a user's PC and execute database queries without the high-level privileges usually required to carry out such functions. The company has been alerted to a flaw in SQL Server 7.0 and 2000 that could allow an unauthorised user to execute particular administrative functions called web tasks. The company also disclosed a flaw in Windows XP that could allow an attacker to delete files, and one in Office that could lead to information disclosure. The SQL Server bug received Microsoft's highest rating of "critical" because it could allow a low-privileged user to execute high-privilege functions. A flaw in the way the server handles permissions could allow any user who authenticates to a server to run, delete, insert or update web tasks created by other users. Web tasks create a task that executes database queries and uses the results to produce a web page. Any web task executed could be run in the context of the user who created the web task, Microsoft said. This would typically be the SQL Server Agent service account. However, by default this account runs with the privileges of a domain user rather than with higher-level system privileges, Microsoft said. The company added that attackers could only exploit the bug if they were already authenticated to the server, barring most of the general public. The attacker would also be unable to create new web tasks. A second flaw affects the Windows XP version of Help and Support Center, which contains help files and access to Windows Update, among other features. A mistake in permissions could allow a malicious web page or HTML email to call on a file within Help and Support Center, causing it to erase any file on the user's PC. However, the attacker would have to know the exact location of the file he or she wished to delete, and would have to entice the victim to view a specially-formed web page or HTML email. Windows XP Service Pack 1 eliminates the bug, and Internet Explorer 6.0 Service Pack 1 would prevent Help and Support Center from being launched from Outlook or Outlook Express, Microsoft said. The third flaw could allow a specially modified Word or Excel document to gather information from a PC that could later be retrieved from the document by an attacker. The attack uses features in Word and Excel designed to update documents from an outside source. The flaw would allow the Word or Excel document to update itself with the contents of a file from the user's computer, without giving any indication that this had happened. But to succeed the victim would have to receive a document, modify it and then return it to the attacker, Microsoft said. Microsoft has been on a drive to give all its products watertight security since earlier this year. However, it continues to regularly issue new warnings, the three latest bugs bringing to 61 the total number of notifications this year. For more information see http://www.microsoft.com/technet/ . Matthew Broersma writes for ZDNet UK
Editorial standards