Windows worm holes plugged

Microsoft has provided fixes for eight flaws related to Windows, including three that could be used to compromise a system without any user interaction.

The company issued six security bulletins as part of its monthly 'Patch Tuesday' cycle. Five of the updates were tagged "critical", Microsoft's highest rating of attack risk. One alert, MS06-069, calls out flaws in Adobe Systems' Macromedia Flash Player, which shipped with Windows XP. The others cover vulnerabilities in Microsoft software.

All of Microsoft's fixes address vulnerabilities in software related to its Windows operating system. Three of the security holes could be exploited remotely by an anonymous attacker without the user having to take any action, such as clicking on a link. The remaining five would require people to visit a malicious website or open a malicious file for an attack to succeed, according to Microsoft's alerts.

Got two seconds?

Make your voice heard - take our latest poll.

The most urgent issue is a flaw in Microsoft's "Workstation Service" in Windows 2000 and Windows XP, said Amol Sarwate, a research manager at vulnerability management company Qualys. "Attackers can remotely send malicious packets and cause code execution," he said. The problem is described in Microsoft alert MS06-070.

The Workstation Service routes file system and print requests, both local and on a network. It is a key part of Windows that can't be turned off or easily protected by a firewall, Sarwate said. "Really, the only solution is to apply the patch as soon as possible," he added.

The problem is most severe for Windows 2000, said Christopher Budd, a security program manager at Microsoft. "There is the potential risk of a worm for Windows 2000 but you don't have that with Windows XP SP 2," he said. The threat to Windows XP is mitigated because of its firewall and different networking technology, Budd said.

A hacker could exploit the Workstation Service flaw by creating a specially crafted message and sending it to a vulnerable computer. Microsoft said in its security bulletin, which it rates "critical": "An attacker who successfully exploited this vulnerability could take complete control of the affected system."

Two other vulnerabilities expose Windows machines to a similar risk of being used to spawn worms. These affect Microsoft's Client Service for NetWare and the NetWare Driver, which let Windows systems access network services on servers running Novell NetWare. However, this software is not installed by default.

In security bulletin MS06-066, Microsoft deems the NetWare issues "important", one notch below "critical" in its four-tiered rating scheme.

A "critical" update for Internet Explorer, MS06-067, addresses three vulnerabilities, two of which cyber crooks are already tapping. An expected patch for XML Core Services delivered with bulletin MS06-071 plugs a flaw in that Windows add-on which had also surfaced in cyber attacks.

The IE update also addresses a new flaw, which lies in the way it handles certain HTML layout combinations, Microsoft said.

Joris Evers writes for CNET News.com