Microsoft issues alert on two "critical" Windows flaws

Hackers are actively exploiting two serious security vulnerabilities in Windows, Microsoft warned on Tuesday as it released "critical" alerts about the flaws.

One of the problems affects the Microsoft Color Management Module, a component of Windows that handles colours. The other relates to the JView Profiler, part of Microsoft's Java Virtual Machine. The vulnerabilities could be used to commandeer a PC, Microsoft said.

Dan Hubbard, senior director at Websense Security Labs, said: "Attackers are already using the JView Profiler flaw to download and install Trojan horses on victims' machines." The Trojan horses would let the miscreants remotely control the hijacked PCs and make it part of a network of such computers known as a botnet, an increasing cyber threat.

The Windows vulnerabilities are described in two bulletins issued as part of Microsoft's monthly patch cycle. A third alert deals with a bug affecting Word 2000 and Word 2002. The Word flaw could allow an attacker to take control of a vulnerable PC, the software maker said.

All three bulletins get Microsoft's highest security rating but only the Windows flaws are actively being used to attack users, Microsoft said. The company is encouraging all customers to apply its updates. Security software vendor Symantec said in a statement that the JView Profiler and Color Managament Module issues that affect Windows are "the most serious" of Microsoft's three new security bulletins.

An intruder could take advantage of the JView Profiler flaw by crafting a malicious web page and persuading a user to visit the site, Microsoft said. The vulnerability has been publicly known since late last month, and Microsoft last week offered a fix for the problem but did not send it out via its automatic patching services. The patch will now go out on Automatic Updates and on other services from Microsoft.

As for the Color Management Module vulnerability, people could fall victim to an attack by viewing a malicious image, said Stephen Toulouse, a security program manager at Microsoft.

"You could visit a web page, and if you have not applied the update, malicious code could execute," Toulouse said. "You could click on a maliciously formed image attached to an email, or you could just preview an image in an email."

Because attackers have more than one way of enticing potential victims, Microsoft deemed the Color Management flaw critical, he noted.

Although the vulnerability was privately reported, Microsoft said, it is already being used in attempts to attack users.

Toulouse said: "We have not seen a public posting detailing how to exploit the vulnerability. However we have been made aware that there are people attempting to exploit it."

Neel Mehta, a team lead at Internet Security Systems, said he expects a public exploit for the image problem within the week. "It is being analysed by the underground. Exploitation of this issue will likely be widespread when a public exploit appears," he said.

The JView Profiler and the Color Management flaw affect all current Windows and Windows Server operating systems, including Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1, the most recent versions that Microsoft has promoted as its most secure releases ever.

Joris Evers writes for CNET News.com