Microsoft Patches Plug 20 Security Holes

Latest News | News Archive |

Posted by: Tweaker
Date added: 21:24, 13th June 2006 GMT
Source: Tech Web News

Microsoft today released a dozen security updates to fix at least 20 vulnerabilities in its Windows operating system and other software, including 11 flaws Redmond labeled "critical," its most severe warning level.

Today's patch bundle is the largest yet for 2006, and includes a huge patch rollup that mends at least eight different flaws -- four of them critical -- in nearly all versions of Microsoft's Internet Explorer Web browser. Microsoft considers a vulnerability "critical" if attackers could exploit it without any action on the part of the victim. As such, critical flaws in IE are especially dangerous because they expose users to the risk of having their computer completely hijacked by the bad guys just by inadvertently visiting a malicious Web site or clicking on a link that redirects them to one.

Microsoft noted in its advisory that instructions showing would-be attackers precisely how to exploit at least two of the IE vulnerabilities has already been published online, though the company said it was not aware of any ongoing attacks that leverage either exploit.

Microsoft numbers its patches sequentially each month, starting with those that fix the most dangerous flaws. The one following the IE patch corrects a problem in the way Windows renders image files ending in ".ART", an image format most commonly used by America Online. Microsoft said an attacker could exploit the vulnerability with a specially crafted image viewable through a Web browser or e-mail reader. This flaw affects nearly all versions of Windows, including Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME. Not sure whether this presents any more of a problem for AOL Internet subscribers or for AOL Instant Message users, but I was chatting with SANS Internet Storm Center handler chief technology officer Johannes Ullrich and he brought up a good point: "I could see this getting abused with malformed AIM buddy icons." Yikes.

Another critical update released today fixes a problem with Microsoft's implementation of Javascript, a powerful Web programming language that many sites use (bad guys also have been known to use Javascript flaws to install nasty programs.) Redmond notes that this patch is meant to be installed alongside the IE bundle.

The Javascript flaw also is present in Windows Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME.

The next critical update patches a flaw in just about every version of Windows Media Player that Microsoft ever shipped. Yet another patch covers two critical flaws in Microsoft's "Routing and Remote Access" service. Microsoft says this service is designed to let companies using its server products access their Intranet from the greater Internet. Having a critical flaw in this service doesn't sound like good news for companies who use Microsoft server products and have employees who work from home: Most organizations take several weeks to test security updates before deploying them across their networks, mainly to ensure that applying the fix won't break other applications.

One odd "critical" update fixes a problem in Microsoft's graphics-rendering software that apparently is only present in older versions of Windows, specifically Windows 98, 98 SE and ME. This kind of flaw found exclusively in older versions of Windows is a tad alarming, given that Microsoft will stop shipping critical patches like these on July 11, when it officially ends support for those operating systems.

Microsoft's advisory on this flaw is worded so as to indicate the fix for this vulnerability may not be available for a short time. If you use one of the older operating systems and have trouble downloading this patch, please drop me a line or leave a note in the comments section below.

Today's patch bundle also includes an update that Microsoft promised last month to plug a security hole in Microsoft Word that hackers have been using to conduct highly targeted attacks designed to steal sensitive information. According to Microsoft, this flaw affects Word 2000, Word XP, Word 2003, and Microsoft Works suites for each year from 2000 to 2006. Contrary to earlier statements by Microsoft, the flaw also is present in Word Viewer 2003 (Microsoft had previously said that Word Viewer users did not have to fear this flaw).

Microsoft also issued a patch to plug a critical flaw in Powerpoint that attackers could use to seize control over computers just by convincing someone to open a specially crafted presentation (.PPT) file. The vulnerability is present in all versions of Powerpoint shipped with Microsoft Office 2000, Office XP, Office 2003, as well as Office 2004 for Mac and Office v.X for Mac.

Microsoft also issued updates to fix five other vulnerabilties that earned its "important" rating, but I'll spare readers the details on those for the moment. Just know that while these flaws may not have earned Microsoft's most severe rating, they still could allow viruses or online attackers to infiltrate and/or hijack your computer.

Patches are available via the Microsoft Update Web site or by activating Automatic Updates. Office 2000 users please take note: You will need to also visit Microsoft's Office Update site to download the Office patches separately. Be sure you have your Office 2000 installation CD handy when you do, however, as it the site usually asks you to pop it into your computer before it will successfully install the updates.

  Tools: Post a comment | Link to this news item | Send to a friend | Submit News

Error: You are not logged in.

In order to leave comments to news articles you must be a Cyber Tech Help Member.

Registration is completely free!    Register to become a member

Along with access to leave comments to news articles you will be able to ask any computing questions you might have on the Cyber Tech Help Forums.

[  To top | Latest News | News Archive | ]