Six Security Patches for Windows
As promised, Microsoft Corp. today released a bundle of six software security updates for computers running its Windows operating systems, including three patches that earned its most severe "critical" rating.
The free patches, available for download through the Microsoft Update Web site, include a patch bundle for Microsoft's Internet Explorer Web browser. Because these flaws could be exploited by attackers to take complete control of vulnerable Windows computers, and because Web browser traffic is allowed by default through most firewalls, it is important not to put off installing these patches. "Aha! But I don't use IE, I use Firefox," you say? Well, even still, you've got to apply these patches: A long list of other programs in Windows use IE or the engine that drives IE as their default display application.
Another vulnerability detailed today that should be of concern for home and business Windows users is a flaw in the "plug-and-play" function of Windows, a process that -- as its name suggests -- figures out what to do with new hardware devices when users plug them into Windows machines. PNP, as it turns out, relies a service deeply embedded into Windows machines called "remote procedure call" or RPC for short. RPC flaws in Windows have been exploited by some of the most successful and infamous Internet worms to date, including "Blaster," "Sasser" and their many variants. This particular flaw has been present in Windows for several years, and exists on Microsoft PCs dating back to Windows 2000.
Exactly why a so-called "local service" like plug-and-play needs to be connected to RPC -- which was designed to let Windows computers communicate remotely over a network -- still has me a bit stumped. Nevertheless, do not delay installing this patch, as some security experts say it won't be long before the bad guys start exploiting it.
"Pretty much anyone who can write Windows exploits can take advantage of this flaw," said Marc Maiffret, chief hacking officer for eEye Digital Security. The IE flaws and the plug and play vulnerability "means attackers can pretty much break into any Windows system right now," he said.
The final critical flaw deals with a security glitch in the way Windows handles network printer requests that could expose companies to attackers. However, Stephen Toulouse, security program manager for Microsoft, said this vulnerability -- as well as the plug-and-pray vulnerability -- have a number of mitigating factors that could make them harder for hackers to exploit.
As I mentioned in an earlier post, if you plan to get the patches by visiting the Microsoft Update Web site, you will be required to first participate a program Microsoft has started that checks to see if you're running a pirated version of Windows. If you fail this test, you will be barred from downloading patches directly from Microsoft (or anything else for that matter). However, if you are using Windows 2000 or a later version of Windows (XP, Server 2003), you can still get all of the patches by turning on automatic updates.
UPDATE, AUG. 10, 1:23 P.M.: Apparently, some readers have had trouble downloading the IE patch bundle. According to the Microsoft Internet Explorer Weblog the patches had to be yanked after a glitch caused "some of the updates to be corrupted, breaking the digital signature and preventing them from installing. The updates available on Microsoft Update and Windows Update are not affected and are installing properly." The blog says Microsoft has identified the problem, removed the affected updates from the Download Center and will repost them shortly to correct the issue.
Posted by: Matt | August 9, 2005 4:40 PM | Report abuse
Posted by: Matt | August 9, 2005 4:51 PM | Report abuse
Posted by: Michael | August 9, 2005 9:35 PM | Report abuse
Posted by: Matt | August 9, 2005 10:07 PM | Report abuse
Posted by: Matt | August 9, 2005 10:08 PM | Report abuse
Posted by: Jon | August 10, 2005 9:45 AM | Report abuse
Posted by: Jon | August 10, 2005 9:51 AM | Report abuse
Posted by: Tom S. | August 10, 2005 10:00 AM | Report abuse
Posted by: THOMAS STEWART VON DRASHEK | August 10, 2005 10:21 AM | Report abuse
Posted by: Bill | August 10, 2005 11:41 AM | Report abuse
Posted by: Bk | August 10, 2005 12:07 PM | Report abuse
Posted by: Dick Kaplan | August 10, 2005 12:43 PM | Report abuse
Posted by: Chuck | August 10, 2005 1:06 PM | Report abuse
Posted by: Michael | August 10, 2005 1:57 PM | Report abuse
Posted by: Matt | August 10, 2005 3:19 PM | Report abuse
Posted by: Theodore Craig | August 10, 2005 4:22 PM | Report abuse
Posted by: Matt | August 10, 2005 6:41 PM | Report abuse
Posted by: Kyle | August 10, 2005 8:33 PM | Report abuse
Posted by: Scott | August 10, 2005 9:58 PM | Report abuse
Posted by: Matt | August 11, 2005 12:59 AM | Report abuse
Posted by: Bernie | August 11, 2005 7:55 AM | Report abuse
Posted by: Mike | August 20, 2005 11:31 AM | Report abuse
Posted by: Arwin | September 11, 2005 6:37 AM | Report abuse
Posted by: JaneLame | September 17, 2005 10:55 PM | Report abuse
Posted by: Anonymous | November 3, 2005 3:07 AM | Report abuse
Posted by: louy | November 14, 2005 1:23 PM | Report abuse
Posted by: louy | November 14, 2005 1:27 PM | Report abuse
The comments to this entry are closed.