Windows worm holes plugged

Microsoft on Tuesday issued fixes for 14 flaws in Windows, including a security hole that one expert says is ripe for exploitation by a major worm.

The majority of the vulnerabilities addressed in nine security bulletins from Microsoft require some user interaction for an attack to succeed. That means an attacker would have to trick people into visiting a malicious website, clicking on a bad link or opening a malformed file to exploit the security holes.

However, the vulnerabilities rated "critical" may allow a system to be compromised remotely without any user interaction. One such flaw, described in Microsoft's MS05-051 security bulletin, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

Marc Maiffret, the chief hacking officer at security specialist eEye Digital Security, said: "It is a remote system vulnerability that could very easily be turned into a worm. It is very similar to the vulnerability two months ago that resulted in the Zotob worm."

The MSDTC buffer overflow flaw primarily affects computers running Windows 2000. Depending on configuration, it could also be used against a computer with Windows XP with Service Pack 1 or Windows Server 2003, Microsoft said in its advisory.

Stephen Toulouse, a program manager in Microsoft's Security Response Center, said: "Among the critical updates, customers who run older versions of the operating system such as Windows 2000 should prioritise MS05-051 for deployment on those systems."

The MS05-051 update also fixes three other bugs in Windows but these carry varying risk ratings, depending on the operating system. One, deemed critical, is a flaw in a Windows component that handles resource management tasks, called COM+. This security hole is also found in Windows 2000 and Windows XP SP1.

People who run older versions of the operating system are more at risk from the MSTDC and COM+ vulnerabilities, Toulouse said. That goes for the rest of the rest of the 14 flaws tackled by the patches issued on Tuesday.

Toulouse said: "In general, many of these bulletins have a lower impact in terms of severity and are much more difficult to exploit on newer operating systems such as Windows XP SP2 and Windows Server 2003 SP1."

Despite being put on the back burner by Microsoft, the older Windows 2000 is still popular among corporations.

Both the MSDTC and COM+ flaws were privately reported to Microsoft by researchers following the company's "responsible disclosure" practices. The software giant said it is not aware of any attacks that exploit the flaws.

Maiffret of eEye said he believes it will be only a matter of days for the first attack code to surface. "There is no technical challenge in writing a worm for the [MSDTC] vulnerability. It really depends if somebody decides to or not," he said.

Microsoft's Toulouse said the software giant will be watching for malicious software.

Microsoft has labelled two other security alerts as critical. One patch, delivered in MS05-050, fixes a problem in software for streaming media in Windows, called DirectShow. The other, in MS05-052, repairs problems in Internet Explorer similar to those patched in July and August.

Joris Evers writes for CNET News.com