Microsoft Fixes 10 Security Vulnerabilities
Microsoft today issued software updates to plug at least 10 security holes in its Windows operating systems and other software. More than half of the vulnerabilities fixed by these patches earned the company's most dire "critical" rating, and several of them are located in areas of Windows that attackers have shown an affinity for exploiting in the past.
Among the more serious security holes fixed today is one present in a component of Windows (GDI) used to process certain types of images. This is the type of vulnerability that could be exploited to install software on a vulnerable system just by convincing the user to visit a malicious Web site.
Indeed, attackers targeted a very similar vulnerability back in 2005 to compromise massive numbers of Windows computers with password-stealing programs when unsuspecting users visited one of thousands of hacked Web sites. Security vendor Symantec says there is a good chance this vulnerability will be exploited in the wild at some point, and I suspect they are correct.
Speaking of hostile takeovers, one of the critical patches -- which fixes a dangerous ActiveX flaw (read: exploitable by any malicious Web site via Internet Explorer) -- also disables two different ActiveX components of Yahoo! Jukebox, a popular media player program. Yahoo! Jukebox users needn't worry, however: The loss of the vulnerable component shouldn't subtract any useful features of the program, and in any event Yahoo! itself is already urging users to address this vulnerability by upgrading to the latest version.
A cumulative update for Internet Explorer fixes another browse-a-bad-site-with-IE-and-have-a-bad-day type vulnerability that is rated critical regardless of which version of Windows you use.
Microsoft also issued critical fixes for Microsoft Office Project, and another that corrects a security issue with the way Windows handles scripting in Web pages. Three other "important" updates fix a total of four other vulnerabilities, which you can read about here.
The comments to this entry are closed.