Network News

X My Profile
View More Activity

Microsoft Patches 9 Security Holes

Microsoft Corp. today issued patches to mend at least nine separate vulnerabilities in its Windows operating systems and other software, including three security holes that criminal hackers already are exploiting. As always, users can download and install the patches via Microsoft Update or through the company's Automatic Updates service.

The new patches fix at least three vulnerabilities in Internet Explorer that hackers could use to install malicious software just by getting victims to visit a specially crafted Web site. One of the IE problems also is exploitable if a recipient merely views a tainted HTML message in an e-mail preview pane. Microsoft said the IE flaws are far less of a problem on Windows Server 2003 systems and for users of IE7, as the default security settings on those systems won't allow exploitation of the flaws.

While it doesn't address a vulnerability in IE specifically, a separate patch issued today corrects a flaw in the Windows "Microsoft Agent" service that also could be exploited just by convincing someone to visit a site that takes advantage of the security hole.

Another update fixes serious flaws in Adobe's Macromedia Flash Player, a component bundled with Windows XP systems. Adobe issued an update in September to fix this flaw, and provides more detail in its own writeup, which covers five separate Flash vulnerabilities. It is not unheard of for sites to try and use Flash vulnerabilities to install malicious programs, so don't ignore this important update.

Microsoft also fixed a critical bug present in the "workstation service" on Windows XP and Windows 2000. This bug is less of a problem for home users (assuming they have a firewall running) and more of a concern for businesses, as it would most likely be exploited once the attacker already has access to the company's internal network.

Also addressed in this month's patch batch are two critical flaws -- one in Microsoft's "XML Core Services" and the other in the "Client Service for Netware" -- neither of which are installed by default on Windows machines.

Finally, a note about the wireless device driver flaw that I wrote about this past weekend. I said I'd circle back if more vendors released updates, and it turns out that HP issued a patch in October to fix this flaw. HP users should be able to install this patch by visiting Microsoft Update, letting it scan, and then selecting the "Hardware/Optional" option at the left hand side of the screen. This worked on my HP laptop, and there may be updates for this flaw from other affected PC makers (Dell and Gateway come to mind).

I think it's great that Microsoft is offering Microsoft Update as a distribution mechanism for serious flaws in the PCs made by third parties, but most people probably would not know to check that portion of Microsoft Update, and I can't recall ever seeing any alerts from HP about this important patch.

By Brian Krebs  |  November 14, 2006; 3:00 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Report: Firefox 2.0 Trumps IE7 In Phish-Fighting
Next: Guidance Software Settles With FTC Over Data Compromise

Comments

(sigh)

Posted by: GTexas | November 14, 2006 3:59 PM | Report abuse

Thanks. The wireless driver update available thru Windows Update also worked for my Compaq laptop w/ Centrino.

Posted by: GW | November 14, 2006 7:58 PM | Report abuse

Hi,

Is it essential to have windows XP SP2 installed for install these patches or can they be also installed in SP1?

Posted by: SG | November 15, 2006 8:53 AM | Report abuse

"Is it essential to have windows XP SP2 installed..."

Yes.

- http://www.techweb.com/article/printableArticle.jhtml?articleID=193100649&site_section=700027
September 29, 2006
"...After the Oct. 10 security updates, Microsoft will no longer distribute fixes to Windows XP SP1 users, including any meant to patch IE 6 SP1, the browser edition included with the pack. In addition, Windows XP SP1 users will not be able to update to the more secure IE 7 when that releases in final form later this year."

Posted by: J. Warren | November 15, 2006 11:37 AM | Report abuse

Be sure to backup before installing these latest patches.

Last night my attempted update failed and destroyed my entire system. Thankfully I'd cloned my C drive immediately prior to starting the update.

I'm wondering anyone else has encountered problems.

Posted by: J. Rock | November 15, 2006 1:08 PM | Report abuse

Hi,
Some users reported failure of update KB923789. The solution for me and one other was to update Flash Player to the latest version (9.0.28.0). You can reveal the version of your player here:
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_15507
The Community Newsgroup discussion of this problem is here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?pg=3&cat=en_US_56d1dd45-de9e-4fc5-9bc1-2d1d0de6daee&lang=en&cr=US&guid=&sloc=en-us&dg=microsoft.public.windowsupdate&fltr=

Posted by: Frank C | November 17, 2006 4:53 PM | Report abuse

I have tried repeatedly to install the latest updates and have given up - for days now I get a message about the update as I shut down my computer -when I try - it fails with an error message that just flashes on the screen - so - were the updates installed? How do I get rid of the message aside from resetting to an earlier date prior to this latest farce from Microsoft -
good grief - maybe next time I will buy a Mac

Posted by: Mary | November 28, 2006 11:26 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company