Microsoft update patches three bugs
09-01-2008
by Ciara O'Brien

Microsoft kicked of 2008 by issuing a security update that included only two patches to tackle three flaws.

However, one of the vulnerabilities was a potentially critical security bug that could allow malicious users to launch an attack using remote code. The critical patch fixes two vulnerabilities that Microsoft said were "privately reported" in Transmission Control Protocol/Internet Protocol (TCP/IP) processing.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the company said in its bulletin.

The flaw affects the Windows operating system, including Vista and XP.

The second update patches a bug it classes as "important", which could allow an attacker to take control of a system through a vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). Vista is not believed to be affected by the flaw.

"The vulnerability could allow an attacker to run arbitrary code with elevated privileges," Microsoft said.

Because the vulnerabilities were reported privately, it is believed that no publicly available exploits are currently published online.

It was a relatively light start to the year for Microsoft users. In 2007, security bulletins hit highs of 20 vulnerabilities and 12 patches in February, and 14 flaws in August fixed by nine patches. Eight of the August security holes were rated as "critical".