Microsoft is warning Windows and Internet Explorer users to take
steps to prevent two security exploits. The two advisories affect
Microsoft Windows Millennium and Internet Explorer 5.
Users of Internet Explorer 5.0 and Internet Explorer 5.5 on
Windows Millennium Edition and Windows 2000 face possible attacks
from misuse of Windows Metafile graphic images to take control of
According to the advisory, this vulnerability could allow an
attacker to execute arbitrary code on the user's system.
Still bruised by previous WMF security flaws, the Redmond,
Wash.-based Microsoft emphasized the current WMF exploit is
different from the problem patched last month.
Unlike last month's spyware concerns, this flaw requires some
action by users, such as opening an e-mail attachment or clicking a
link that takes them to a malicious Web site. The immediate cure:
installing Internet Explorer 6 Service Pack 1.
Microsoft also is addressing security trouble permitting a
privilege security vulnerability created by some third-party
The flaw, first reported to the Redmond software giant by two
Princeton University researchers, could allow access controls to be
changed, permitting someone with low security to issue commands
normally reserved for the computer's owner.
The problem is present in Windows XP or Windows Server 2003
computers that have not upgraded to the latest service packs.
Alternately, permissions for the four affected default Windows XP
and Windows Server 2003 components can manually be set.
Microsoft is not aware of any attacks employing the Princeton
"proof-of-concept" security concern, according to the software
Two of the four Windows services would need to be run while in
privileged mode, while others are vulnerable when operated in
Windows XP Service Pack 1, according to the company's advisory.