One fix deals with vulnerabilities in Internet Explorer, while the others tackle problems with HTML Help and Server Message Block in the Windows operating system. The security bulletins were three of 10 released by the software giant as part of its monthly patch cycle.
"This is definitely a significant set of patches," said Jimmy Kuo, a McAfee fellow. "We have three remote code execution patches -- one being for IE, which is prevalent. The other two are for HTML Help and Server Message block, which are also installed on all PCs with Windows"
The other security bulletins included four rated "moderate" that affect Windows and the Exchange e-mail server. Three "important" alerts address problems in Windows, Windows Services for Unix, Internet Security and Acceleration Server and Small Business Server.
Microsoft's rating system deems a security issue as critical -- its highest ranking -- if it could enable a worm to spread without any action from the PC user. Important flaws are those that could compromise people's data or threaten system resources, while the risk from moderate security holes can be restricted by measures such as configuring the default.
The three critical flaws could allow an intruder to take control of a computer, Microsoft said. The problem in IE is a PNG Image Rendering Memory Corruption vulnerability and affects a range of versions, including IE 6 for Windows XP Service Pack 2.
PNG images are similar to JPEGs and are used in many multimedia formats. The IE vulnerabilities allow fields to be malformed when reading or processing the image. That can result in a buffer overflow and open the system to a remote attacker.
"The PNG vulnerability is the most significant of the three," said Vincent Weafer, a senior director at Symantec Security Response. "This is a file format flaw and it's not something users are thinking of, which is why they need to watch out for it."
The Windows HTML Help vulnerability affects Windows XP Service Packs 1 and 2, Windows 2000 Service Packs 3 and 4, and other versions and service packs.
Although the server message block could let an intruder into a PC, the attacker needs to get authentication on the system to exploit the vulnerability. Among the Windows versions threatened by the flaw are Windows XP Service Packs 1 and 2 and Windows 2000 Service Packs 3 and 4.
Microsoft gave IT administrators a heads-up about the fixes last week as part of its prenotification process. It said it expected "at least one" critical vulnerability among the 10 bulletins that were coming.
Last month, Microsoft's monthly patch cycle contained less severe vulnerabilities, as it issued only one important fix for its Windows 2000 Service Packs 3 and 4. The flaw would allow a malicious attacker to execute arbitrary code and take over users' computers if they were persuaded to view a malicious file.
This is unhappy stuff, I feel. In http://support.microsoft.com/kb/893066
referred to in the "Vulnerabilities in TCP/IP" security bulletin, there are caveats about the possibility of networking services and/or speed being impacted by installation of the fix. The thought that comes to mind is "What - even slower than at present?"
It seems that network speeds have plummeted with XP, perhaps particularly in mixed networks with XP as well as 98 and other OS's running, illustrating the price to be paid for enhanced security.
But is there an end in sight to the lowering of network speed with each successive security fix? Will we only become secure when we're no longer TCP/IPing at all?
This is not a complaint about Microsoft, it's a pseudo philosophical question or something.