New WMF advisory from Redmond

By on

Microsoft released two fresh advisories Tuesday – one warning users of another metafile (WMF) flaw that could enable malicious users to execute arbitrary code onto a PC.

"Microsoft is investigating new public reports of a vulnerability in older versions of Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user," the Redmond, Wash., company warned.

An attacker would have to trick a user into visiting a website using social engineering, the software giant said. Despite the similarities, the flaw is not the same as the WMF vulnerability that was revealed to users in late December, Microsoft said.

"In both web-based and email-based attacks, the code would execute in the security context of the logged-on users," Microsoft warned. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Microsoft's next scheduled Patch Tuesday monthly bulletin release is next Tuesday.

The company also warned of a possible vulnerability in Windows Service access control lists, saying that after a successful hacking attempt, a users who has lesser user privileges could gain privilege escalation.

Users of Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not affected by these vulnerabilities because security-related changes were made in the service packs.

The company said it has not been notified of malicious users attempting to take advantage of the reported vulnerability.

"Microsoft is not aware of any attacks attempting to use the reported vulnerabilities or of consumer impact at this time," the company said. "Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary."

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?