'New Windows security concerns in the wild', says Microsoft

Microsoft has warned of two security issues that could put some Windows users at risk of attack and said it is investigating a third possible vulnerability.

One security problem is reminiscent of the recent high-profile security woes that affected Windows. It is related to how aging versions of Internet Explorer handle malformed Windows Meta File images on the Windows Millennium Edition and Windows 2000 operating systems.

The flaw exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in a security advisory. Users could be attacked simply by viewing a malicious image on a website, in an email or in an image viewer, Microsoft said.

"An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said in its advisory.

Though the WMF vulnerability may appear similar to previous flaws related to WMF that plagued Windows, the issue is different, Microsoft said. Last month the software maker rushed out a fix for a WMF rendering flaw that was being exploited to install spyware on the computers of unwitting Windows users.

To remedy this new WMF problem, Microsoft recommends users upgrade to IE6 with Service Pack 1 and said it may issue a security patch.

In a second security advisory, Microsoft warned of a problem with overly permissive access controls in Windows XP and Windows Server 2003. The problem exists only in versions that do not have the latest service packs installed, the company said.

The access control issue could be exploited by a user with low privileges to run programs and commands that normally require a higher privilege level, Microsoft said. The software maker suggests installing Service Pack 2 on Windows XP or Service Pack 1 on Windows Server 2003 to limit exposure or manually changing access controls on the four affected Windows components.

In addition to the security advisories, a Microsoft representative said the company is investigating a potential vulnerability in its HTML Help Workshop, a part of the HTML Help Software Development Kit version 1.4.

Attack code that takes advantage of the flaw is publicly available. A successful attack could give an attacker full control over a vulnerable computer, security monitoring company Secunia said in an alert. However, the scope is limited because the vulnerable software is used only by software developers and is not part of Windows, according to Microsoft.

"Microsoft's initial investigation has revealed that customers who have not installed the HTML Help SDK on their systems are not impacted by this report," the representative said.

Microsoft's next 'patch Tuesday' is on 14 February. The company on Thursday is expected to release some details on what software fixes it will deliver.