Researchers warn of multiple unpatched Windows holes
Vulnerabilities could leave systems open to remote attacks
News Story by Paul Roberts
DECEMBER 24, 2004 (IDG NEWS SERVICE) - Antivirus company Symantec
Corp. warned its customers about a number of critical holes in
Microsoft Corp.'s Windows operating system that surfaced late
yesterday and that could make Windows systems vulnerable to compromise
by remote attackers.
Symantec acted after security researchers published the details of the
heap overflow vulnerabilities in messages posted to online security
news groups Thursday, including the Bugtraq mailing list, and on
xfocus.net. The flaws affect most supported versions of Windows, but
Microsoft has not yet issued a patch for the newly disclosed
holes. Windows users are vulnerable to Internet based attacks until
patches are issued, Symantec said.
Three Serious Windows Vulnerabilities Surface
By David Morgenstern
December 24, 2004
Symantec Corp.'s Security Response service on Friday confirmed that
unpatched Windows vulnerabilities could pose a serious risk for
exploits via malicious Web pages and e-mail messages.
One of the three security vulnerabilities involves image handling-a
source of recent exploits on Windows and Unix operating systems. The
other two risks are found in the Help system and in Window's ANI
(Automatic Number Identification) authentication.
Symantec said the Microsoft Windows LoadImage API Function Integer
Overflow Vulnerability could be exploited via browsers or e-mail
client software. Users who open an HTML message or Web page bearing
the image could face security risks.
Exploits released for new Windows flaws
Published: December 23, 2004, 3:31 PM PST
By Robert Lemos
Staff Writer, CNET News.com
A Chinese security group has released sample code to exploit two new
unpatched flaws in Microsoft Windows.
The advisory comes in the week before Christmas, a time when many
companies and home users are least prepared to deal with the
problems. Security firm Symantec warned its clients of the
vulnerabilities on Thursday, after the Chinese company that found the
flaws published them to the Internet.
One vulnerability, in the operating system's LoadImage function, could
enable an attacker to compromise a victim's PC when the computer
displays a specially crafted image placed on a Web site or in an
e-mail. The other vulnerability, in the Windows Help program, likewise
could affect any program that opens a Help file.