Microsoft finds malicious attack flaw

Microsoft has issued an "important" Windows security fix as part of its monthly patch cycle, tackling a script injection vulnerability that could allow an attacker to take over a PC.

The software giant has also published two early alerts as part of its new pilot program, Microsoft Security Advisories, which confirms reports of flaws and provides workarounds until it can send out a patch.

The monthly security bulletin addresses a vulnerability found in Windows 2000 Service Pack 3 and 4, which the company ranks as "important", its second-highest severity rating. The flaw also appears in the older Windows 98, Windows 98 SE and Windows ME.

Microsoft said in its bulletin: "A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged-on user."

That attacker could install programs and view, change or delete data, or create new accounts with full user rights, Microsoft said.

Security company Symantec has rated the risk from the flaw as "medium", noting that some user interaction is required for it to be used for an attack. For example, the PC user would have to download a corrupt document or save the document from an email attachment, then browse to the document using Windows Explorer.

Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement: "It would be fairly easy for an attacker to create a malicious document that could compromise a system and circulate this document through email or websites.

"In order to combat this new and other security risks, users should always avoid opening files from unknown sources or following links to unverified sites. In addition, all users should deploy internet security solutions such as antivirus software and firewall technology."

More recent versions of the operating system are not affected by the flaw. But the company is urging people with Windows SP3 and SP4 to download the security update. Microsoft does not offer security patches to older versions of its software that it no longer supports, unless the vulnerability is rated "critical".

A Microsoft representative referred questions regarding what action Windows 98 users should take to the company's Microsoft Lifecycle Support site.

The software giant also released two security advisories of problems that do not necessarily require a patch from Microsoft. One notes a default setting in Windows Media Player Digital Rights Management could allow a user to open a web page without requesting permission.

The second is a clarification of Microsoft's simple mail transfer protocol (SMTP) Tar Pit feature in Windows Server 2003 Service Pack 1 for Exchange Server 2003.

The advisory notes: "Microsoft does not require or recommend that all customers implement this [Tar Pit] feature. It has been provided as an option for reducing the effectiveness of certain attacks that utilise standard features of the simple mail transfer protocol."

Dawn Kawamoto writes for CNET News.com