The Fix is In: Eight New Security Updates for Windows
Microsoft Corp. today released eight software security updates for computers running its Windows operating system. The eight patches mend at least 18 different security holes in a variety of Microsoft products.
Five of the patches carry a "critical" label. The Redmond, Wash.-based software giant labels a fix "critical" if hackers can sneak in through the security hole it patches to seize control of computers over the Internet. Three of the patch bundles released today earned lower threat labels, but the vulnerabilities they fix could still let attackers gain some control over a system.
A few of the patches issued today address problems in every version of Windows dating back to Windows 98. You can download any security fixes that apply to your PC by visiting Microsoft's Windows Update Web site.
The security flaws bound to receive the most attention from hackers and security experts alike involves a series of hiccups in how Microsoft incorporated "TCP/IP," -- the basic communications rules that all Internet-connected devices use to exchange information -- in its Windows operating system.
The TCP/IP flaw, and another critical problem in Microsoft's Exchange e-mail software, are extremely serious because they don't require any user interaction for hackers to exploit them successfully, said Neel Mehta of Atlanta-based Internet Security Systems Inc.
Microsoft also issued a "cumulative update" to fix three separate problems in its Internet Explorer Web browser, two of them rated critical.
Still another critical fix corrects two serious flaws in Microsoft Word, the company's widely used word processing software.
Microsoft has repeatedly urged Windows XP users to turn on the operating system's "automatic update" service, which can fetch and install patches from Microsoft automatically as they are made available. But that service does not retrieve patches for Microsoft Office (such as the two problems in Microsoft Word mentioned above), so users who have Office installed must visit the Office Update Web site and click on the "check for updates" link in the upper right corner of the page (then follow the instructions). In most cases, you will need to already have installed at least one Office service pack to load the patches released today, so if you haven't done that you'll need to take care of that first. Also, keep in mind you may not be able to install any Office updates without having the Office installation CD handy. If you lost your CD, you're going to need to deal with Microsoft customer service to figure out how you can demonstrate to them that you indeed own a copy of the software.
Today also marks the expiration of a software tool Microsoft made available last fall to let people block the automatic installation of Service Pack 2, a major software and security upgrade for Windows XP and Windows XP Professional. Microsoft made the tool available after a number of businesses and schools said they were concerned that the forced upgrades could interfere with existing software applications and slow their networks to a crawl as hundreds of PCs downloaded the massive upgrade all at once.
Ed Skoudis, founder and senior security consultant at Intelguardians, a security consulting company in Washington, D.C., said most large organizations have since either installed the upgrade or have devised other ways to block Microsoft from installing it automatically. Still, Skoudis said, a lot of small mom and pop businesses are going to be surprised when certain home-built software applications break after the upgrade.
"For most organizations, installing this service pack has been remarkably smooth," Skoudis said. "But the relatively small number of organizations that get hosed by it may take a different view."
A survey released earlier this month backs up concerns that smaller organizations may have failed to deploy SP2. Ontario, Canada-based AssetMetrix published a survey that found just 24 percent of companies using Windows XP had deployed Service Pack 2, and that 40 percent were actively blocking the installation from Microsoft. Stephen Toulouse, a program manager with Microsoft Security Response Center, disputed findings in that survey. Toulouse said Microsoft did not know what percentage of XP users had installed the update, only that it had been downloaded roughly 180 million times.
The SANS Internet Storm Center is reporting that three of the fixes released today also correct glitches in previous Microsoft patch bundles, including one I wrote about last month that was causing problems for Windows 98 and Windows ME users who complained their computers operated sluggishly or failed to boot at all after installing the update.
By way of keeping count, this month's batch of patches brings to 17 the total number of critical vulnerabilities Microsoft has identified in 2005. Last year, Microsoft released a total of 25 "critical" security fixes.
April 12, 2005; 4:00 PM ET
Categories: New Patches
Save & Share: Previous: New Virginia Law Punishes Phishers
Next: Three Exploits Out for New Microsoft Security Holes
The comments to this entry are closed.