Stephen Withers
Wednesday, 13 August 2008 06:37
Your IT -
Home IT
Page 5 of 6
A pair of flaws in the Windows event system could be exploited to execute remote code and take full control of a system running Windows 2000, XP, Vista, Server 2003 or Server 2008.
While an attacker requires logon credentials, it sounds like it may be possible to use these flaws to gain full privileges.
The bulletin for Outlook Express and Windows Mail covers a situation where a maliciously crafted web page opened with Internet Explorer could result in information disclosure due to the way IE hands-off MHTML URLs to Outlook Express or Mail.
The issue is rated important on Windows 2000, XP and Vista, but only low on Server 2003 and 2008 - presumably because people are less likely to be using a Server account for web browsing.
Messenger too is affected by an information disclosure issue, one that can allow an attacker to capture a user's Messenger credentials and therefore impersonate that user. Once again, an ActiveX control is the source of the vulnerability.
The patch for Windows Messenger 4.7 and 5.1 works by setting up a whitelist of applications that can access the ActiveX control. This approach was necessary as simply setting a kill bit for the control adversely affected Windows' Remote Assistance application.
The issue is classified as important on Windows 2000 and XP, and moderate on Server 2003. Vista and Server 2008 are not affected.
You can relax now, It's downhill from here! The
final page of the story outlines another Office flaw, along with the non-security updates for the month.
LATEST HEADLINES FROM YOUR IT
