Users of the Microsoft Windows operating system have long been plagued by crackers determined to exploit the popular system’s security vulnerabilities. This week Microsoft sent out yet another high level security warning to its user base about two new areas under attack.This time around, assaults are being launched against the Microsoft Color Management Module and the JView Profiler, which is part of the system’s Java Virtual Machine. According to Microsoft, an invader that gains entry via either of these vulnerable areas can gain control of the victim’s PC by installing Trojans. In cases where this has happened, the highjacked computers can become part of a network, known as a botnet.
The JView flaw has been known by Microsoft since March and allows intruders to create malicious websites that encourage users to visit and open themselves up to harm. Last week Microsoft offered a bug fix but did not send out a notice about the patch via its automatic service. However, the patch will appear as an Automatic Update.
Those who are attacked through the Microsoft Color Management flaw run the risk of problems after viewing a malicious image that executes either on a website or by being clicked on or even just previewed in an e-mail. Both vulnerabilities affect all current Windows and Windows Server operating systems, including Windows XP with Service Pack 2 and Windows Server 2003 with Server Pack 1, both of which are recent and billed as the company’s most secure releases to date.
The Color Management flaw is deemed critical and Microsoft strongly urges its users to download Windows updates in order to deal with the issue. A fix for the image vulnerability is expected within the week.
A third, less critical flaw has been found in Microsoft Word, which could allow attackers to control vulnerable PCs running Word 2000 or Word 2002. Although the previous flaws are already being exploited by crackers, no incidents of attack using the newly discovered Word flaw have been reported.
