Three Serious New Security Flaws Found in Windows

Microsoft (Nasdaq: MSFT) and its customers got no holiday break from security concerns as Symantec (Nasdaq: SYMC) said it had confirmed three more yet-to-be-patched vulnerabilities in Windows, some of which can be used to launch denial-of-service attacks.

Symantec said all three of the flaws are considered serious, and Denmark-based Secunia labeled them "highly critical," even though no widespread instances of exploits have been found in the wild so far. At least one of the vulnerabilities can be exploited even on machines that are running Windows XP with Service Pack 2 (SP2) applied.

The Internet Storm Center noted that the earliest patches could be made available through Microsoft's new monthly rollout program would be January 11.

No Exploits Yet Known

A Microsoft spokeswoman said the company is not yet aware of any active malicious attacks attempting to exploit the reported vulnerabilities but said the software maker will take "appropriate actions" after it investigates. That might include an out-of-cycle security update.

Symantec Security Response recommends that computer users update virus definitions, stay away from Web sites they don't know or trust and avoid e-mail messages from unknown sources until patches can be made available.

The firm said the flaws can be used to trick infected computers into aiding in denial of service attacks and to cause spyware or other malicious code to be launched. Their arrival at the holidays raised the possibility that infection could spread more quickly, Alfred Huger, senior director of Symantec Security Response, said.

"Many consumers are shopping online and many businesses are short-staffed, making these threats more worrisome," Huger said. "Two out of these three vulnerabilities could potentially be used to install malicious code, such as spyware, on an unsuspecting victim's computer, and take complete control of their computer."

Trio of Trouble

Two Chinese security firms were credited with originally spotting the vulnerabilities.

The first flaw targets code used to open images on Web sites or in e-mails. The LoadImage API instruction can be corrupted simply by viewing an infected image, meaning no additional action, such as opening an executable file, is required by the user.

The second flaw is in the part of Windows that activates help files and can be exploited with files that appear to be help code but actually contain malicious instructions. That flaw has been shown to exist even after SP2 is applied to Windows XP, Symantec said.

The third flaw is in the Windows kernel and can cause a denial of service attack to be triggered when malicious files are encountered, which can also happen via a Web site or e-mail .

Shooting the Messenger?

Microsoft was also critical of the way the flaws became known to the public, saying that China-based Xfocus did not follow "the commonly accepted industry practice of privately reporting security vulnerabilities to software vendors."

So-called responsible disclosure is meant to give software companies an opportunity to fix flaws before the vulnerabilities can make their way into the hands of malicious code authors.

"Microsoft urges the industry and computer users worldwide to encourage and promote the responsible disclosure of security vulnerabilities," the company said in a statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the fix is being developed."

Microsoft has begun to fight back against some of the security vendors that have been highly critical of its software, including the SP2 update. Earlier this year, Finjan issued a warning that it had found 10 security flaws that still existed in XP with the service pack applied. Microsoft later said that Finjan's approach to testing the vulnerabilities was flawed.