today pushed out two fixes to close three vulnerabilities, including two "critical" server-side flaws that do not require any user interaction to be exploited.
The critical bugs, undisclosed until today, are located in the transmission control protocol/internet protocol (TCP/IP) kernel driver. Users' PCs can be exploited if they are sent maliciously crafted multicast or ICMP (internet control message protocol) packets.
The latter request could result in a DoS
attack, while the former could lead to remote code execution
, Eric Schultze, chief technology officer of Shavlik Technologies
, told SCMagazineUS.com today.
Schultze said both protocols -- multicast and ICMP -- usually are not turned on by default, but administrators should nevertheless take the bugs seriously.
"We haven't seen a good remote code execution [flaw] in a while," he said. "It will ignite some enthusiasm with some of the hackers. So many of the vulnerabilities lately have been what I call client-side, meaning the end-user has to visit a website or something."
Amol Sarwate, director of Qualys
' vulnerability research lab, said both protocols are normally enabled. He said ICMP is turned on by default in Windows XP
, and multicast is enabled by default in Vista, but not XP.
The second bulletin corrects an "important" privilege-escalation vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS). It does not impact Vista.
Andrew Storms, director of security operations for nCircle
, said the flaw is not "too dangerous because it is a local-only vulnerability that requires valid login credentials for execution."
But when combined with other holes, it becomes more severe, said Schultze.
One notable vulnerability that went unfixed was a flaw in the Microsoft Web Proxy Automatic Discovery (WPAD) feature, disclosed a week prior to December's Patch Tuesday release. The flaw could be exploited to propagate a man-in-the-middle attack