New Patches Help Solve Security Issues with Microsoft Products

October's batch of patches includes a monster fix for the Internet Explorer browser and critical updates for SMTP, NNTP, Excel and Windows Shell.


The kernel flaw allows the malicious code to launch a Denial-of-Service attack on the system's resources, causing the machine to stop responding. A fix for the four flaws, broken down by operating system type, can be downloaded here .

Microsoft had to restrict some of the functionality in the Internet standard Web-based Distributed Authoring and Versioning (WebDAV) requests to plug a vulnerability that allowed malware to consume all available memory and CPU time on an affected server, according to the company's alert.

Security officials discovered that WebDAV -- a set of extensions in HTTP (an Internet standard with the IETF) for file collaboration on remote servers -- doesn't put a limit on the number of attributes that can be passed to the server, thus allowing the malicious coder room to execute a DoS attack.

Microsoft officials imposed new limits on WebDAV, which will cause previously valid requests to fail. The vulnerability affects Internet Information Services 5.0/5.1/6.0 users and several versions of Windows XP/2000/2003. Users can download the patch here .

Microsoft also fixed a separate code execution flaw in its venerable Network Dynamic Data Exchange (NetDDE), which allows two computers to talk to each other. NetDDE, which is used with Microsoft Chat, Microsoft Hearts and, in some cases, Excel, could cede total control to the attacker, the company warned. It's not considered a critical vulnerability because NetDDE has to be running before the attacker can take advantage of the flaw.

The vulnerability affects versions of Windows XP/NT Server 4.0 and Windows 98/98 SE/ME. Windows XP users with Service Pack 2 are not affected by the vulnerability. Users can download the patches here .

Another important security patch released Tuesday plugs a flaw found in the Remote Procedure Call (RPC) run-time library, a protocol that allows a program on one system to access services on another machine. Malware capitalizing on this flaw can either launch a DoS attack or read portions of active memory on the user's machine.

The patch, which applies to Service Pack 6 for Windows NT Server 4.0 and 4.0 Terminal Server Edition, allows the RPC Runtime Library to validate message length before it's released to the buffer. Users can download the patch here .