Microsoft Reveals Two New Bugs

On the same day Microsoft assured consumers it could protect their PCs, it owned up to two new security problems, one of which was yet another issue with Windows Metafile (WMF) images, the flaw that sent users scrambling in late December and early January.

On Tuesday, Microsoft released a pair of security advisories in response to an out-in-the-wild tool that can escalate attackers' privileges, and a new WMF hole in older versions of Internet Explorer.

The IE problem, said Microsoft in the advisory, is yet another in a long list of Windows Metafile vulnerabilities, but affects only IE 5.01 and IE 5.5, two aged versions that by one Web metrics vendor's estimate, accounted for just 2.3 percent of all browsers used in January.

The bug is similar to the zero-day vulnerability which went so wild in late 2005 that users rushed for an unauthorized patch before Microsoft finally went out-of-cycle to fix the flaw. As in the earlier scenario, hackers could use this new one to craft malicious WMF images, then plant them on Web sites or deliver them by e-mail, to grab control of PCs.

Users of IE 5.01 and 5.5 should upgrade to IE 6.0, which is not vulnerable to the new bug.Ironically enough, an anti-spyware security expert predicted earlier Tuesday that the WMF bug would haunt Windows users in 2006.

"The Windows Metafile vulnerability will continue to be the way most spyware is delivered throughout 2006," said Richard Stiennon, director of threat research at Boulder, Colo.-based Webroot.

A separate advisory from Microsoft acknowledged that a paper presented Jan. 31 by a pair of Princeton University researchers had given hackers a head-start on an exploit that would let them boost PC privileges.

"These vulnerabilities could allow a malicious authenticated user to launch a privilege escalation attack," read the advisory. "An attacker could change the default binary that is associated with the affected services. Then an attacker could stop and restart the services to run a malicious program or binary."

Windows XP SP1, Windows Server 2003, and an unknown number of third-party applications, can lead to a PC compromise, said Microsoft, which recommended that users update to XP SP2 and Windows Server 2003 SP1, neither of which have the bug.As is its usual practice in security advisories, Microsoft didn't promise a patch for either problem, but left the door open to future updates. The next scheduled patch date is Feb. 14, although if history is any indicator, Microsoft would not be able to roll out patches for either that quickly.