recent posts

Microsoft Releases Windows XP Service Pack 3
Tech Groups Back Kaspersky in Fight Against Zango
Stepped Up Cyber Role for Spy Agencies
Cyber Justice Chronicles
More Trouble With Ads on ISPs' Error Pages

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Microsoft Fixes 10 Security Vulnerabilities

Microsoft today issued software updates to plug at least 10 security holes in its Windows operating systems and other software. More than half of the vulnerabilities fixed by these patches earned the company's most dire "critical" rating, and several of them are located in areas of Windows that attackers have shown an affinity for exploiting in the past.

Among the more serious security holes fixed today is one present in a component of Windows (GDI) used to process certain types of images. This is the type of vulnerability that could be exploited to install software on a vulnerable system just by convincing the user to visit a malicious Web site.

Indeed, attackers targeted a very similar vulnerability back in 2005 to compromise massive numbers of Windows computers with password-stealing programs when unsuspecting users visited one of thousands of hacked Web sites. Security vendor Symantec says there is a good chance this vulnerability will be exploited in the wild at some point, and I suspect they are correct.

Speaking of hostile takeovers, one of the critical patches -- which fixes a dangerous ActiveX flaw (read: exploitable by any malicious Web site via Internet Explorer) -- also disables two different ActiveX components of Yahoo! Jukebox, a popular media player program. Yahoo! Jukebox users needn't worry, however: The loss of the vulnerable component shouldn't subtract any useful features of the program, and in any event Yahoo! itself is already urging users to address this vulnerability by upgrading to the latest version.

A cumulative update for Internet Explorer fixes another browse-a-bad-site-with-IE-and-have-a-bad-day type vulnerability that is rated critical regardless of which version of Windows you use.

Microsoft also issued critical fixes for Microsoft Office Project, and another that corrects a security issue with the way Windows handles scripting in Web pages. Three other "important" updates fix a total of four other vulnerabilities, which you can read about here.

By Brian Krebs |  April 8, 2008; 3:01 PM ET Latest Warnings , Misc. , New Patches , Safety Tips
Previous: Kraken Spawns a Clash of the Titans | Next: Get Paid to Find 'Back Doors'

Comments

Please email us to report offensive comments.



Wow, what a neutral author of this article.. no predispositions against IE here!

Posted by: What_a_neutral_Article_Author! | April 8, 2008 8:14 PM

re: "What_a_neutral_Article_Author"

When you use a program like IE with so many vulnerabilities, you have to devote a large percentage of the article to describe them and what it takes to eliminate them.

I use IE for only the few websites that won't work with Firefox.

Posted by: blasher | April 9, 2008 11:23 AM

Brian,
I have previously installed KillBitGui in Feb 2008. How will this interact with the latest Microsoft killbit update?
Krishna.

Posted by: Krishna | April 9, 2008 11:34 AM

Just a quick question: If you use Firefox for nearly all browsing, are you still vulnerable?
I almost never use IE, have both AVG and Comodo scanners and have not been bit by the virus' except on one occasion. I assume I'm doing the right things, yes?

Posted by: Wicked | April 9, 2008 11:53 AM

The IE Cumulative patch now includes the removal of the "click to activate" behavior, formerly required for ActiveX controls embedded in some webpages. For more info, see:

http://blogs.msdn.com/ie/archive/2008/04/08/ie-automatic-component-activation-now-available.aspx

Also, Adobe has released a new version (9.0.124.0) of Flash Player that fixes multiple vulnerabilities.

http://isc.sans.org/diary.html?storyid=4268

Posted by: TJ | April 9, 2008 2:03 PM

FYI. Attempt at Exploiting Latest GDI Vulnerability Found in the Wild

http://www.symantec.com/enterprise/security_response/weblog/2008/04/attempt_at_exploiting_latest_g.html

As the SANS Internet Storm Center says, "If you haven't already patched do so now and don't forget to remind your users not to open image files."

http://isc.sans.org/diary.html?storyid=4274

Posted by: TJ | April 10, 2008 5:33 PM

I have attempted to download and install Security Update for Windows XP (KB944338); but the download always fails. All other recent downloads have been successful. Any advice?

Posted by: karhu | April 11, 2008 10:42 AM

Yepper same here all other downloads installed but this one won't ! Security Update for Windows XP (KB944338)

Posted by: CaptBignuts | April 15, 2008 11:46 AM

Of course, but what do you think about that?,

Posted by: Plozher | May 7, 2008 12:22 AM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

©  The Washington Post Company