Microsoft warns of seven Windows flaws

Microsoft yesterday warned of seven security vulnerabilities, two of which it rated as 'critical'.

The company has issued updates for all seven flaws. These include MS04-022, which addresses a vulnerability in Task Scheduler that could allow code execution.

Microsoft explained that if a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

The flaw affects Windows 2000 (Service Pack 2, 3 and 4), XP, and XP 64-bit edition Service Pack 1.

Update MS04-023 addresses the other critical flaw, which centres on vulnerabilities in HTML Help and also could allow malicious hackers to run code on compromised Windows PCs.

The flaw affects the same versions of Windows as MS04-022 but also affects Windows Server 2003 and 64-bit edition.

Of the remaining alerts four are rated as 'important' and one 'moderate'. They include MS04-018, a cumulative security update for Outlook Express; MS04-019, concerning a vulnerability in Utility Manager that could allow code execution; and MS04-020, dealing with a vulnerability in POSIX that could allow code execution.

MS04-021 comprises a security update for IIS 4.0, while MS04-024 addresses a vulnerability in Windows Shell that could allow remote code execution.

Further information, and patches for all seven vulnerabilities, can be found here.