WiFi Finder

Locate wireless services by a specific address, city, state, country, airport, or zip code.

Get Connected Now

RSS Feeds

Get our latest content via convenient RSS feeds.

See All RSS Feeds

Become a PCW Member

Join the community and start enjoying the benefits:

Get tech advice from thousands of PC World Members
Rate and recommend the latest tech products
Share your thoughts in blog and article comments
Get free excerpts and exclusive discounts on Super Guides

Signing up is free and easy.

Microsoft Patches Four More Security Flaws

Software giant issues new security bulletins, one regarding a critical flaw in some versions of Windows.

Joris Evers, IDG News Service

With HP wireless printers, you could have printed this from any room in the house. Live wirelessly. Print wirelessly.

Microsoft issued three security bulletins late Wednesday, offering patches for four recently discovered security vulnerabilities in several of its products. One hole in Windows NT, Windows 2000, and Windows XP was rated "critical" by the vendor.

The hole deemed "critical" is a buffer overrun flaw in the phone book of the Remote Access Service, a standard part of Windows NT 4.0, Windows 2000, and Windows XP. An attacker could gain full control over the machine or cause it to fail, Microsoft says in its advisory.

To carry out an attack, an attacker first has to change a RAS setting on the affected system, before connecting to the system using RAS. If the target system's settings restrict user access, it will not be at risk, Microsoft says. RAS is used for dial-up connections.

More Concerns

Another bulletin addresses a flaw in Internet Information Server versions 4.0 and 5.0, the Web server components of Windows NT 4.0 and Windows 2000. An attacker could run arbitrary code on the system by exploiting a flaw in software that supports HTR scripting, an older and largely obsolete scripting language, Microsoft says.

HTR has been part of IIS since version 2.0. It was never widely adopted because Active Server Pages, or ASP, introduced in IIS 4.0, became popular before HTR use could take off. Virtually the only use for HTR today is a Web-based NT password managed service, Microsoft says, adding that it has long recommended customers to disable HTR functionality and convert scripts that are needed to ASP. The IIS Lockdown Tool offered by Microsoft disables HTR by default.

A third security bulletin addresses two vulnerabilities in the SQLXML part of SQL Server 2000. SQLXML enables the transfer of XML data to and from SQL Server 2000. The most serious of the flaws could allow an attacker to take over the machine running the database, Microsoft says.