Network News

X My Profile
View More Activity

Microsoft Plugs Ten Security Holes

Microsoft Corp. today issued free software updates to plug at least 10 security holes in its Windows operating system and other software. Windows users can download the patches directly from Microsoft Update or by using the Windows Automatic Updates feature.

Probably the most important patch in the January batch is a fix for a Windows flaw that Microsoft said is being actively exploited by bad guys, who can use it to break into vulnerable computers just by tricking a Windows user into merely visiting a malicious Web site or opening a specially crafted e-mail. The bug, resident in Microsoft's implementation of a computer graphics rendering language known as "VML," exists in fully patched Windows XP computers and is similar in nature to a flaw that forced the company to issue an emergency update last fall outside of its normal second-Tuesday-of-the-month patch cycle. In fact, according to data compiled by Security Fix, Microsoft devised a patch for last September's VML flaw just eight days after it became clear bad guys were exploiting it.

In addition to the VML patch, Microsoft today pushed out three updates to fix problems in its Office suite.

Last week, Microsoft said it planned to issue at least eight patches to fix an unspecified number of security flaws, but over the weekend the company revised that number to four without explanation. Unaddressed by this month's batch patch are two flaws in Microsoft Word that bad guys are actively exploiting, and a third Word flaw for which instructions showing criminals how to exploit have been published online.

While Microsoft's next version of its operating system -- Windows Vista -- technically doesn't hit retail stores until Jan. 30, security researchers have already uncovered a set of fairly serious security holes that could expose customers to attacks. Last week, instructions for taking advantage of a Vista flaw to potentially seize control over computers running the new software were published online. Microsoft said it also was investigating rumors that this exploit was previously offered for sale in the hacker underground.

Microsoft has spent a great deal of time and effort making security a front-and-center concern in the development of Vista, even going so far as to consult with hacker teams at the National Security Agency to harden the operating system. In a note that accompanied today's patch release, Microsoft said it "developed Windows Vista with the highest attention to security; however, it is important to note that no software is 100% secure. Windows Vista is not a silver bullet- security issues will continue even with more secure operating systems, because the threat bar will continue to be raised and hackers will become more aggressive and that is why Microsoft is taking a defense in depth approach to helping protect users from malware."

One final note: Today's patches fix at least nine vulnerabilities in different versions of Office, but they are most serious for users of Office 2000. While users of newer versions of Office can also get Office updates from the Microsoft Update site, Office 2000 users will need to fire up Internet Explorer and pay a visit to the Office Update site and let the site scan their system for any missing patches.

By Brian Krebs  |  January 9, 2007; 1:58 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Scary Blogspam Automation Tools
Next: A Warning to Windows Users on Acer Laptops

Comments

I believe it is 9 vulnerabilites not 10. You mention 9 later on in your post.

Posted by: Steve Mullen | January 9, 2007 2:23 PM | Report abuse

Steve,

It's nine Office vulnerabilities, plus the VML thing, so ten in all.

Posted by: Bk | January 9, 2007 2:38 PM | Report abuse

I take that back; it is 10.

Posted by: Steve Mullen | January 9, 2007 2:38 PM | Report abuse

Just think how secure Windows would be if Microsoft had put all the time, money, effort, and ingenuity into securing it as they've put into hobbling Vista with next-generation DRM. Just think.

These DRM requirements will actually act to the *detriment* of security - as well as impacting on the stability and reliability of the system and will, furthermore, increase costs to hardware manufacturers and us, the end-users.

Here's a very informative analysis of what Microsoft has been up to from a university academic who's a computer security expert. (No wonder Vista was delayed for so long.) Among other things the new tilt-bits in Vista open new opportunities for DoS attacks:

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

Posted by: Alexander | January 9, 2007 2:39 PM | Report abuse

No comment on the withdrawal of 5 other possible bulletins?
If you got an inside tip, share!.
Thanks.

Posted by: Superfreak | January 9, 2007 5:34 PM | Report abuse

And now this;
http://support.microsoft.com/kb/931183/

Failures when installing the Excel patch. but only affects Asia languages.

We've issued a patch recall/hold back to our people there.

Posted by: Superfreak | January 15, 2007 1:33 PM | Report abuse

easnfi umwxy ebix maudrs bxdt blqntgok jbqxes

Posted by: mvsodjgt kahl | January 17, 2007 1:47 AM | Report abuse

advpfozgy ynei cvefphj dxecj opzq fpuwb zmvrkw rlnsfhcjw zfodqb

Posted by: swdp dtqrmlwc | January 17, 2007 1:48 AM | Report abuse

kqjecvli hxmk urvenwkqj uipt nsqarpvli zicsgyufd yhfigndxo [URL]http://www.fzaqbw.lmrwn.com[/URL] vrnc pwykgun

Posted by: kvfzxmw ojnxdypc | January 17, 2007 1:49 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company