Attackers could exploit serious security holes in Windows, Office and Internet Explorer to take over machines and do a variety of damage, Microsoft warned Tuesday as it released three critical updates to patch the flaws.
Since exploit code for at least two of the vulnerabilities is already circulating, users should heed Microsoft's advice to patch immediately, said Mike Murray, director of vulnerability and exposure research for San Francisco-based security firm nCircle. "They're equally urgent," Murray said of the bulletins. "Exploit code is widely circulating for the IE vulnerability. There's also exploit code for the color management module flaw [outlined below], though that one is still in the underground."
While the IE flaw poses the biggest threat right now, the color management module vulnerability could quickly be exploited for an attack, warned Neel Mehta, team leader of the Atlanta-based Internet Security Systems X-Force. "[The latter problem] is a stack-based buffer overflow, which is easy to exploit," he said. "We get very concerned when this exists in a major operating system. Another thing that makes it a more attractive target is that it's easy to get people to view a malicious image."
The bulletins summarized:
The first bulletin fixes a critical font parsing flaw in Microsoft Word 2000 and 2002, Office 2000 SP3; Office XP SP3; and Works Suite 2000 through 2004.
"Attackers could exploit this to take over a machine and install programs; view, change or delete data; or create new accounts with full user rights," Microsoft said.
"Attackers could exploit this by constructing a malicious image file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."
This affects Windows 2000 SP4, Windows XP SP1 and SP2; Windows XP Professional x64 Edition; Windows Server 2003; Windows Server 2003 SP1; Windows Server 2003 for itanium-based systems; Windows Server 2003 with SP1 for itanium-based systems; Windows Server 2003 x64 Edition; Windows 98; Windows 98 Second Edition [SE] and Millennium Edition [ME].
The third bulletin fixes a flaw affecting several versions of Windows and Internet Explorer. The problem is that Internet Explorer doesn't properly instantiate the JVIEW Profiler COM object [javaprxy.dll], an interface to the Microsoft Java Virtual Machine.
Malicious Web sites can exploit this to corrupt memory on vulnerable machines. Attackers could also use the flaw to launch malicious code.
Danish security firm Secunia and other organizations raised the red flag on the IE flaw last week, warning that exploit code had been publicly released online.
Microsoft quickly acknowledged it was investigating the flaw and recommended users set their Internet and local intranet security zone settings to "High." The company said users could also unregister, disable or restrict access to the javaprxy.dll COM object, though it would probably affect functionality. The software giant now recommends users install the update.
"It's a game of whack-a-mole," Murray said. "IT managers just have to keep their patching up to date and educate users on safe Web browsing. You want to make sure users have their browser security settings on high. They need to understand that if a warning comes up, they can't ignore it. And if they go to Yahoo and it doesn't look like Yahoo, they need to be aware that's a problem."
This article originally appeared on SearchSecurity.com.