Network News

X My Profile
View More Activity

Microsoft Issues Three Security Updates

Microsoft today issued three software patches to fix a security flaw in Windows, another in iits Exchange Server e-mail product, and two "critical" vulnerabilities in older versions of Adobe's Macromedia Flash Player that comes bundled with Windows.

The Flash patch being distributed by Redmond fixes two serious vulnerabilities present in versions 6.0.79 or earlier installed on either Windows 98, Windows 98SE, Windows ME or Windows XP (Flash is installed by default on all of those). To see what version you have installed, check out this link.

This patch also includes the security fixes for Flash versions 7.x and 8.x that Adobe released in March. If you applied those patches, you shouldn't have to update, but just check your Flash version anyway to be sure. The most recent safe version of Flash is 8.0.24.0.

The second update fixes a couple of security flaws in Windows that Microsoft said could be used by attackers to cause systems to seize up. This flaw exists in XP, Windows 2000, and Windows Server 2003. If you are using one of these operating systems, visit Microsoft Update and install this patch.

The final patch fixes a critical problem in Exchange Server, which many businesses use to manage their incoming and outgoing e-mail.

For businesses using Exchange, this is a very important update to install. The problem is, even Microsoft admits it may cause problems for some third-party applications that work hand-in-hand with Exchange. For instance, Reseach in Motion, the company that makes the popular BlackBerry mobile phone/organizer, said applying this patch will break some functionality required by its software. Microsoft has published some workarounds for businesses that have trouble after installing this update.

By Brian Krebs  |  May 9, 2006; 3:05 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Botmaster Sentenced to 57 Months in Prison
Next: Your Spycar Ran Over My Dogma

Comments

Brian,

A quick point about the DTC DoS vulnerabilities (MS06-018). It might be worthwhile to note that the DTC is NOT enabled by default on Windows XP or Windows Server 2003.

Further, a successful exploit would only cause the Microsoft Distributed Transaction Coordinator service to crash. This would be recorded as a failure (unexpected stop) and services dependent upon DTC would stop functioning until the service was restarted.

According to MS06-018, a successful attack would not put the entire system's stability in jeopardy:

"If the Microsoft Distributed Transaction Coordinator stops responding because of an attack, services that are not dependant on the Microsoft Distributed Transaction Coordinator would continue to function normally. The affects of an attack will not typically affect the general stability of the system."

For many users, this is an important point, because many of them would be utterly oblivious to a successful DTC attack. There are few purposes of a client system that required its services, and those that do are infrequent and intermittent. Such uses may even cause the service to be automatically restarted.

For those who don't need the service, the attack would more or less be doing them a rather rude favor.

Posted by: Matthew Murphy | May 10, 2006 1:19 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company