Microsoft on Tuesday afternoon alerted users of a trio of new security vulnerabilities in Windows and Internet Explorer, one of which was characterized by its discoverer as even more dangerous than the flaws that spawned some of the biggest worms of all time, Nimda and Code Red.
While the Redmond, Wash.-based developer tagged two of the three vulnerabilities as "critical" -- its highest warning rank -- one is of special concern.
The vulnerability relates to Microsoft Windows Abstract Syntax Notation (ASN), a language used to define the syntax of data messages shared between applications and computers. Any flaw in Windows' implementation of ASN is by definition critical, since the ASN library is widely used by the operating system's security subsystems, including Kerberos and NTLM authentication, as well as by applications that use digital certificates, including SSL, digitally-signed e-mail, and the ActiveX controls utilized by Microsoft's Internet Explorer browser.
A determined attacker could exploit the ASN vulnerability to create a buffer overflow in a targeted machine, which would in turn offer up complete control of the computer. From there, the sky's the limit: a hacker could install new software (including, for instance, Trojan horses), wipe hard drives, hijack files, or any of a thousand other things.
There is no work-around for the vulnerability, Microsoft said in the security bulletin issued Tuesday; the only way to correct the problem is to install the fix, which is available through the Windows Update service. Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are all affected and must be patched.