The critical bugs, undisclosed until today, are located in the transmission control protocol/internet protocol (TCP/IP) kernel driver. Users' PCs can be exploited if they are sent maliciously crafted multicast or ICMP (internet control message protocol) requests.
The latter request could result in a DoS attack, while the former could lead to remote code execution, Eric Schultze, chief technology officer of Shavlik Technologies, told SCMagazineUS.com today.
Schultze said both functions -- multicast and ICMP -- usually are not turned on by default, but administrators should nevertheless take the bugs seriously.
"We haven't seen a good remote code execution [flaw] in a while," he said. "It will ignite some enthusiasm with some of the hackers. So many of the vulnerabilities lately have been what I call client-side, meaning the end-user has to visit a website or something."
Amol Sarwate, director of Qualys' vulnerability research lab, said both protocols are normally enabled. He said ICMP is turned on by default in Windows XP and Vista, and multicast is enabled by default in Vista, but not XP.
The third bulletin corrects an "important" privilege-escalation vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS). It does not impact Vista.
Andrew Storms, director of security operations for nCircle, said the flaw is not "too dangerous because it is a local-only vulnerability that requires valid login credentials for execution."
But when combined with other holes, it becomes more severe, said Schultze.
One notable vulnerability that went unfixed was a flaw in the Microsoft Web Proxy Automatic Discovery (WPAD) feature, disclosed a week prior to December's Patch Tuesday release. The flaw could be exploited to propagate a man-in-the-middle attack.
Microsoft releases two patches for three flaws on Patch Tuesday
By Dan Kaplan on Jan 9, 2008 12:44PM