A Closer Look: Three Critical Patches For Windows
As noted yesterday in this blog, Microsoft Corp. released software updates yesterday to fix at least four security flaws in its software, including three rated "critical," the company's most severe warning level. The free patches are available from Microsoft's Windows Update Web site and via automatic updates.
One of the patches corrects a serious problem Microsoft warned users about earlier this month, when it released an interim fix. According to the SANS Internet Storm Center, Microsoft has already received reports of hackers exploiting the flaw, which allows attackers to gain total control over vulnerable PCs.
The problem potentially affects Windows 98, Windows 98 SE, Windows Millennium Edition, XP, 2000, and 2003, but the vulnerable program -- the Microsoft Java Virtual Machine -- is not included by default in certain Windows versions. The Windows Update Web site or the automatic updates feature in Windows should be able to tell whether your PC needs this patch. If you took advantage of Microsoft's interim fix for this flaw, you do not need to install this patch.
Microsoft said it would issue a fix for the Java issue for Windows 98, Window 98SE and Windows ME users, but added that it might not be available for a little while. If you're using any of these older operating systems, just be sure to check back at the Windows Update site periodically.
Another critical patch issued Tuesday fixes a security glitch in Word, its flagship word processing program. That patch addresses a vulnerability in the way that Word processes fonts that could allow attackers to install software on the victim's machine. The Word fix updates a previous patch that apparently didn't quite do the job. The flaw resides in Office 2000 and Office XP, as well Microsoft Works 2000, 2001, 2002, 2003 and 2004. The patch is available from Microsoft's Office Update Web site.
The third critical patch fixes a critical flaw in the Microsoft Color Management Module, which is used by Windows to ensure that colors are displayed consistently across multiple software applications. The company said an attacker could exploit the vulnerability by luring a victim into visiting a malicious Web site or by viewing a specially-crafted image sent via e-mail.
The color management problem is present in nearly all versions of Windows, although Microsoft does not consider the vulnerability to be critical for Windows 98, Windows SE, or Windows ME. Rather, Microsoft labeled the problem "important" for computers powered by those operating systems. However, since Microsoft only releases patches for those OSes when the flaws they mend earn a "critical," rating, no patch will be made available for users of those older versions of Windows.
Microsoft also re-released a patch it first issued last month to fix a problem in the Windows version of telnet, a service that allows users to connect over the Internet to other machines and networks. The telnet patch applies to Windows XP, Windows Server 2003, and certain versions of Microsoft Windows Services for UNIX.
Math was never my strong point, but by my count this month's batch of patches brings to 23 the total number of critical vulnerabilities Microsoft has identified in 2005. Last year, Microsoft released a total of 25 "critical" security fixes.
The comments to this entry are closed.