Microsoft Warns Of Flaws In Windows, Outlook, Messenger

In its newest monthly round of patches, Microsoft Tuesday warned users of three vulnerabilities in a trio of its top products: Windows, Outlook, and its instant messaging client, Messenger.

Unlike in past months, however, none of the new flaws were rated as "Critical," the Redmond, Wash.-based developer's highest ranking in its four-step threat assessment system.

The top-rated vulnerability of the three was for Outlook 2002, the e-mail client packed with the now-aging, but still widely-used, Office XP suite. Microsoft has ranked this security flaw as "Important," one step below Critical.

"This is the one that's most dangerous," said Craig Schmugar, the virus research manager with Network Associates' AVERT analysis team. "The vulnerability allows for arbitrary code execution, which we've seen heavily exploited in the past."

The vulnerability, which affects versions of Office XP and Outlook 2002 that have been updated only as far as Service Pack 2 (SP2) -- users which have applied SP3 to Office XP and Outlook 2002 are safe, as are those who use Office 2003 and Outlook 2003 -- could be exploited by a hacker who entices users of Internet Explorer to a malicious Web site or gets them to view a HTML e-mail message. Once at the Web site, or by viewing an HTML message, users could be infected with other code of the hacker's choice -- such as a Trojan horse or a worm -- or their system could grant the attacker complete access to the machine, where he or she could delete files, change settings, or wreak other havoc.According to Microsoft, there are some mitigating factors that may limit the vulnerability. Users are only at risk when the "Outlook Today" folder is the default folder home page, for instance. (Outlook changes the default folder home page to "Inbox" when the first e-mail account is set up in the client.)

Microsoft has posted an update that takes care of the problem, as well as a workaround.

"This one gets into the gray area," added Schmugar when asked if the security hole was large enough for hackers to bother exploiting. "The risk is reduced by the configuration specifics of Outlook, and it doesn't affect all versions, just Outlook 2002. But I think that's enough of an installed base for hackers to target."

The Windows vulnerability disclosed Tuesday affects Windows Server 2000 Service Pack 2, Service Pack 3, and Service Pack 4, and stems from a gaffe in the way that Windows Media Station Service and Windows Media Monitor Service, both pieces of Windows Media Services and included in Windows 2000 Server, handle TCP/IP connections, said Microsoft.

Windows Media Services, which is used to multicast video and audio content in Windows Media format, could be exploited by a remote user who sends a maliciously-crafted sequence of TCP/IP packets to Windows Server 2000; that could to stop Media Services from responding, and result in a denial-of-service (DoS) attack on the server.Microsoft rated this vulnerability as "Moderate," the second-from-the-bottom ranking, since by default, Windows Server 2000 doesn't install Windows Media Services. Users with Windows Media Services installed, however, should apply the patch, or alternately, disable the service. Another workaround is to block ports 7007 and 7778 at the firewall for those multicasting via TCP. (These are the two open ports on the service that a hacker could use to send his mutated TCP packets.)

The patch for the Windows Server 2000 vulnerability can be retrieved from the Windows Update Web site, the service Microsoft operates to deploy general updates and security patches.

MSN Messenger 6.0 and 6.1 -- two versions of Microsoft's instant messaging (IM) client -- are the root of the third, and final, vulnerability made public Tuesday. Like the Windows 2000 Server vulnerability, this was rated as "Moderate" by Microsoft.

Both editions sport a flaw in how they handle file requests; IM clients, Messenger included, can be used to send files between buddies as well as conduct text chats. By sending a special type of file request to an MSN Messenger user, the attacker could surreptitiously view files on the recipient's hard drive. To exploit this, however, the attacker has to know the user's sign-on name and the name of the file he or she wants to see.

Oliver Friedrichs, senior director of Symantec's security response team, disagreed with Schmugar, and highlighted this vulnerability as the most dangerous of the three."This has the most potential for widespread impact," he said, "especially if a hacker could somehow harvest a large list of Messenger user names to exploit this vulnerability en mass."

With such a list, it wouldn't be tough for an experienced hacker to combine code from a known worm to run amok amongst MSN Messenger users.

Although the attacker has to know the name of the file he or she wants to view, that wouldn't stop dangerous scenarios from developing, said Friedrichs. "Documents with non-specific names would be safe from viewing, but an attacker could target password databases of known programs, for instance, or e-mail archives of Outlook."

Microsoft has posted an updated edition of MSN Messenger 6.1 on the software's home page which closes the security hole. Another way to defend against possible exploitation, said Friedrichs, is to set MSN Messenger so that it refuses messages from anonymous users, preventing anyone but known friends and colleagues from contacting you without your permission.

Windows Messenger, the IM client packaged with Windows itself, is not affected by this vulnerability.0