recent posts

Web Fraud 2.0: Distributing Your Malware
Opera Update Plugs Multiple Security Holes
Web Fraud 2.0: Digital Forgeries
Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Microsoft, Apple Issue Security Updates

Microsoft today issued software updates to fix at least 10 security vulnerabilities in various versions of Windows. Among the most dangerous of those is a flaw in the Bluetooth wireless communications feature included with many Windows systems that could open vulnerable systems to complete compromise just by being turned on and in range of an attacker.

Bluetooth is a technology that facilitates wireless communication between devices, and many newer Windows laptops ship with Bluetooth functionality built in and turned on. This is a serious vulnerability, but since Bluetooth is a proximity based wireless technology (most devices need to be within 30 ft. of each other to exchange data), an attacker would in most cases need to be fairly close to the target.

Symantec's Ben Greenbaum said the Windows Bluetooth vulnerability is especially noteworthy because it allows an attacker in range of a Bluetooth-enabled device running Windows XP or Vista to take control of that device. "User interaction is not required," Greenbaum said. "All that is required is for the device to have Bluetooth on and to be within range of the attacker."

Microsoft also issued a patch to change the behavior of its speech recognition software, which it said could be used by an attacker to launch programs on a victim's machine simply by tricking the user into opening an audio file that issues specific commands. This particular patch basically sets it so that Internet Explorer can't be used for such an attack. But it's not entirely clear why Microsoft is just now getting around to changing this, as Security Fix and a number of other media outlets wrote about this potential vulnerability roughly 15 months ago.

Also included in this week's patch batch are critical updates for Internet Explorer and DirectX, a key multimedia component on Windows.

Windows users can download all available updates from Microsoft/Windows Update, or via Automatic Updates.

In other patch news, Apple on Monday released a new version of its QuickTime media player that corrects at least five security vulnerabilities in the software. New versions are available for both Windows and Mac OS X users.

The new QuickTime, version 7.5, is available for Mac users from Apple Downloads or through Software Update; Windows users can grab the latest version from the bundled Apple Software Update program (be aware that it will try to offer you the Safari Web browser for Windows, which in its current configuration exposes Windows users to a sneaky avenue of attack that Microsoft has said it plans to address in a future patch).

By Brian Krebs |  June 10, 2008; 9:28 PM ET New Patches
Previous: Redefining Anti-Virus Software | Next: Malware Silently Alters Wireless Router Settings

Comments

Please email us to report offensive comments.



Great

Posted by: brucerealtor | June 11, 2008 3:17 AM

can always count on security fix to keep you up to date on all the vulnerbilities computers have. you guys are great. thanks

Posted by: Anonymous | June 11, 2008 5:26 AM

After installing the Quicktime update I was forced to reboot and then the computer gave a kernel fault on rebooting and had to be shut off.

A major problem with Safari is that it does not run NoScript.net. washingtonpost forces readers to have Javascript turned on to use all features of the site even though Javascript is a known threat to national security. Sounds like they got their security licenses in the same Cracker Jack box as Bush "Pioneer" Tom Ridge.

Note to Windows fans: RNC Hackers use Symantec security software to break into your computer. That is not security. That is the opposite of security.

Another excellent stream player is: http://www.videolan.org

playogg.org

Department of Homeland Security Homeland Terrorist Alert Color Code Brushed Aluminum: Erase Windows from your computers immediately! Install Linux! Turn off Javascript.
OpenBSD.org

Posted by: Singing Senator | June 11, 2008 7:20 AM

Nice to see the Linux nuts are ripe. Too bad they don't know the difference between Linux and BSD.

Posted by: ged | June 11, 2008 7:30 AM

Great. The update just broke my GPIB interface board.

BB

Posted by: Fairlington Blade | June 11, 2008 9:23 AM

No problems so far after applying MS and QT patches to 3 machines. Thanks to BK for Security Fix!

Posted by: gp | June 11, 2008 10:13 AM

@Singing Senator: That is the most ignorant comment I've seen in a long time from a linux fanboy. You can keep your fruity named operating systems and all around non user friendly functionality.

Posted by: markscrap | June 11, 2008 10:45 AM

"it's not entirely clear why Microsoft is just now getting around to changing this, as Security Fix and a number of other media outlets wrote about this potential vulnerability roughly 15 months ago."

Maybe they had something else they were working on?

Posted by: Just-A-Hunch | June 11, 2008 11:19 AM

@singing senator

You said: "Another excellent stream player is: http://www.videolan.org"

In all your spouting of security licenses and cracker jacks, did you mean this same piece of "oh-so-secure" software?

http://www.securityfocus.com/bid/27015

Your fear-mongering RNC hackers like that vector too, just FYI.

Posted by: Charles Decker | June 11, 2008 1:00 PM

Incidentally, got the GPIB board back. Had to uninstall and then reinstall the driver.

BB

Posted by: Fairlington Blade | June 11, 2008 1:14 PM

Brian:

Is your suggestion to not install XP SP3 still in effect?

When I go to Windows Update High Priority I get:

"High-priority updates
This update can have system-wide effects or address more than one problem. It must be installed separately from other updates.
We recommend you install it and then return to our home page to check if your computer needs other high-priority updates.

Microsoft Windows XP

Windows XP Service Pack 3 (KB936929)"

Posted by: Canoe | June 11, 2008 1:28 PM

Speaking of XP SP3, does anyone know when MS will start pushing it via Automatic Updates?

@Canoe: if SP3 still hasn't been pushed to Automatic Updates (and I don't think it has yet), you can wait for this month's patches to come automatically and avoid installing SP3 first; or I believe if you choose the 'Custom' rather than 'Express' option on the MS Update website you should be able to bypass SP3.

Posted by: Anonymous | June 11, 2008 1:43 PM

Before the XP update, my computer had all previous updates, including SP3, installed. After the update, my media card reader was gone and most of my drive letters were reassigned. My system froze while restoring from a backup, and a restart was unsuccessful because of "missing or corrupted" system files. I was eventually able to recover, but it took hours.

Posted by: Ernie Mercer | June 11, 2008 3:36 PM

I updated yesterday on two computers. I had to select custom instead of express in order to bypass the SP3. Express would not show me anything but SP3 and was insisting I download it first. By going through custom I could skip it.

I hope at some point we can be assured that installing SP3 will not likely be an issue. I know enough to keep the computers updated but not enough to fix them if the update breaks them.

Posted by: Rosie | June 11, 2008 4:05 PM

good catch mr sloss

Posted by: 010100101k | June 11, 2008 8:05 PM

The comments to this entry are closed.

 
 

©  The Washington Post Company