Following yesterday's news that the US Army seems to be abandoning Windows NT for Mac Web servers, further problems dog Microsoft. This month, Microsoft issued a spate of security alerts involving its Internet Explorer 5.0 Web browser, its Windows NT 4.0, Windows 95 and 98 operating systems and electronic commerce-related software.

Specifically, the alerts released late last week said: “A vulnerability in IE 5 could allow a Web-site operator to run malicious executable code on the computer of someone visiting the Web site. Until a patch is ready, Microsoft is advising users to disable Active Scripting in IE 5's ImportExportFavorites feature that allows users to export a list of their favorite Web sites to a file, or to import a file containing such a list. Scripting allows scripts or mini-applications, such as pop-up windows, to be run on a computer visiting a Web site without the user's interaction.”

Unattended installations of Windows NT 4.0 Workstation or Server can leave a copy of the file that contains installation parameters on a computer's hard drive. This file, which could contain sensitive information such as the local administrator password, could be read by any user able to perform an interactive log-on. Machines deployed using the Sysprep tool are at greatest risk, Microsoft said. Customers are advised to erase any sensitive information from the installation parameter file or delete the file altogether.

Microsoft has released a patch that eliminates a vulnerability in the Telnet client that ships as part of its Windows 95 and 98 operating systems, and which could allow arbitrary code to be executed on a user's computer when visiting a Web page. The Telnet client has an unchecked buffer which could allow malicious code to execute on a user's computer, via a classic buffer overrun technique.

Microsoft has also released a patch that eliminates a vulnerability in Site Server and Commercial Internet System. The un-patched server could permit a Web site visitor to inadvertently access another customer's data if the Internet gateway caches Web pages via a proxy server, and the Web site authenticates based on a GUID (Globally Unique Identifier), which identifies a browser client to a Web server.

In the first week in September, Microsoft issued a security bulletin about a patch it released that eliminates a vulnerability in the TCP/IP stack implementations of Windows 95, 98 and NT 4.0, that could result in a system crash or a remote attack.