Network News

X My Profile
View More Activity

Microsoft Issues 2 More Patches

Microsoft Corp. today released two free updates to fix security problems in its software. Both fixes earned a "critical" rating, the company's most dire.

The first update fixes a security hole in the way Windows processes Web fonts, a problem present on every Windows operating system going back to Windows 98/ME, including fully patched versions of Windows XP  (the flaw is rated merely "important" on Windows Server 2003).

Microsoft says the font flaw could be exploited by convincing a Windows user to visit a malicious Web page or view an e-mail message containing a specially-crafted font file. An attacker who successfully exploited the vulnerability could use it to take complete control over the victim's computer. Windows 98/ME users can obtain the patch from the old Windows update site. Everyone else can get the patch from Microsoft update or through automatic updates.

The second patch fixes critical security flaws resident in the Microsoft Outlook and Microsoft Exchange e-mail products. The specifics of this vulnerability are way too geeky to get into here. The thing to pay attention to is whether or not you are using one of these products and where you need to go to get the updates.

If you are using Microsoft Outlook (either the standalone version or one that came with Microsoft Office) where you download the patch depends on the age of the product version you're using. For instance, if you are using Exchange Server 2000 or Office 2003, you can get this update from the same place you get regular patches -- Microsoft's Update site. If, however, you are using Office 2000 or an older version of Exchange (such as 5.0 or 5.5), you must obtain the fixes from the old Office Update site.

I've been promised a neat little chart from Microsoft that explains a bit more simply where to get patches for each product. Oh, and this flaw doesn't affect Outlook Express that comes installed by default on Windows.

Update: 4:57 p.m. ET: Here is the graphic I mentioned above. Detect Look on the left for the version of Microsoft Exchange, Outlook or Office that you are running. The next two columns -- WU and MU - stand for Windows Update and Microsoft Update -- and indicate whether those sites host the fix you're looking for.

Keep in mind that if you're counting on automatic updates to handle patching this Office/Outlook flaw for you and you're using an older version of those products, think again. You must apply the patch manually by heading on over to the Office Update site.

By Brian Krebs  |  January 10, 2006; 3:03 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Clam Antivirus Vulnerability
Next: Symantec Fixes SystemWorks Vulnerability


What does not using IE as my web browser have
to do with downloading a patch? I clicked on the link to the old windows update site and got a message that I must be using a version of IE to access the site.

My PC does not have any MS operating system
intalled, but I do need to support other computer users who are not as blessed.

Someone at MS needs a slap to the back of the head (ala Gibbs on NCIS).

Posted by: Don Hawkinson | January 14, 2006 9:36 PM | Report abuse

Is there any other way to get get this update for w98, other than installing that crap Windows update software ?

just wondering

Posted by: Anonymous | January 17, 2006 3:19 PM | Report abuse

Is there any other way to get get this update for w98, other than installing that crap Windows update software ?

just wondering

Posted by: fdssfd | January 17, 2006 3:20 PM | Report abuse

I appreciate MS creating these patches for Win98; this OS is still in wide use and MS should continue so supporting it.

Why-oh-why, then, is there no patch for the recent WMF-flaw? MS's "excuse" -- as stated in its corresponding Security Bulletin that no exploit is currently known for this flaw in Win98 -- is inexcusable in my view, and I can only hope Mr. Krebs will have much more to say on this issue that simply it is an opportunity for us to upgrade. Some of us "home users" can't justify the expense vis-a-vis our needs (and may not have the money besides), since such an upgrade will as likely as not in many cases have to include a brand new computer.

Can we Win98 users not have a little more moral support?

Posted by: bkadler | January 19, 2006 4:44 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company