Microsoft issued seven security bulletins Tuesday, two of them designated “critical,” for various versions of Windows and associated products. The company recommends that all Windows users apply the critical updates immediately.
One of the critical bulletins, MS04-023, titled “Vulnerability in HTML Help Could Allow Code Execution,” addresses vulnerabilities in the Windows HTML Help system that were reported previously.
An attacker could execute code on the affected system and take complete control if that user’s privileges were sufficient, according to the bulletin. Updates are available for Windows NT4, Windows 2000, Windows XP and Windows Server 2003. No patch is available yet for Windows 9x, although the bulletin says one will be available later through Windows Update.
The other critical vulnerability, MS04-022, or “Vulnerability in Task Scheduler Could Allow Code Execution,” also allows remote code execution. The affected component, which has an unchecked buffer, is installed in many recent versions of Windows, but not in Windows Server 2003.
Four bulletins are deemed “important,” and Microsoft recommends that users install the updates “at the earliest opportunity.”
Finally, MS04-018, termed a “moderate” problem, is a cumulative update for Outlook Express. The attack allows a denial of service by an attacker who uses a specially malformed e-mail header. A message with such a header could cause Outlook Express to fail.