Microsoft Issues 7 Patches
Microsoft today released seven security updates for computers running its Windows operating system and other software. Two of the patches fix problems Redmond labeled critical, meaning the company believes the flaw could allow the propagation of an Internet worm that spreads on its own to vulnerable PCs without any action on the part of the user.
One of the critical updates mends a problem in IE that Security Fix alerted readers to last week; another flaw in the way the Web browser parses image files known as Windows meta files (those files created with a ".WMF" file extension.).
Microsoft said an attacker could host a Web page used to exploit this vulnerability against visitors. Alternatively, an Outlook Express user (Express is installed by default on most Windows PCs) could infect his or her machine by simply viewing an infected WMF file in the program's e-mail preview pane. However, according to Microsoft, this flaw is only exploitable on Windows 2000 PCs with Service Pack 4 installed.
The second critical patch addresses a problem in Windows Media Player. Microsoft classifies the flaw as critical on most recent standalone versions of the player, as well as the one built into older versions of Windows, including Windows 98, Windows 98 Second Edition (SE), and Windows Millennium Edition (ME).
According to eEye Digital Security, the company that reported the flaw to Microsoft, the vulnerability is present in "Media Player versions 7.1 through 10 that run on the following Windows operating systems: Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003."
In other Microsoft news, Redmond on Monday officially rolled out the next beta version of its anti-spyware program, now called Windows Defender. The updated version will obtain new anti-spyware definitions via Microsoft's automatic updates feature.
Windows Defender also will no longer flag "cookies" -- text-based files that Web sites place on visitors' computers for a variety of purposes, from identifying a returnee to tracking other sites the user views. Microsoft posted an explanation for changing its tune in cookies on its Windows Defender FAQ:
"Because many cookies are used for legitimate purposes, Microsoft plans to refine the approach to cookies based on customer feedback received during the beta period. You can currently manage cookies through your Web browser."
Update, 3:50 p.m. ET: It appears that many Windows users are having trouble using automatic updates to install one of the patches released today, MS06-007, which Microsoft has rated "important." Users can still download and install the patch directly from the advisory itself: just make sure to pick the one that applies to your version of Windows.
Also, I just had a conversation with Tom Liston, an incident handler with the SANS Internet Storm Center and a security consultant at Intelguardians, and he says Microsoft may be downplaying the seriousness of some of this month's vulnerabilities, particularly MS06-008, a flaw in the Windows Web Client Service that Microsoft rated "important" on most Windows versions.
"This is going to be catching people off guard, because they'll have the service enabled and won't know it," Liston said. "This 'un is the priority for patching... if you can patch nothing else, patch this one."
Another vulnerability patched today that Microsoft rated "important" -- a flaw in a "plug-in" for Windows Media Player that allows it to interact with non-Internet Explorer browsers -- was classified in an advisory by vulnerability monitoring service Secunia as "highly critical." In this case, the problem only applies to alternative browsers, as the vulnerable plug-in is not used by IE.
"Via the Windows Media Player plugin, [Microsoft] has managed to make Firefox, Netscape, Opera, etc... vulnerable to," security holes in Windows, Liston said.
February 14, 2006; 1:45 PM ET
Save & Share: Previous: The New Face of Phishing
Next: 2005 Patch Times for Firefox and Internet Explorer
Posted by: rick | February 14, 2006 2:23 PM | Report abuse
Posted by: Rob_20854 | February 14, 2006 2:29 PM | Report abuse
Posted by: only_me | February 14, 2006 2:34 PM | Report abuse
Posted by: Matt | February 14, 2006 2:56 PM | Report abuse
Posted by: Matt | February 14, 2006 4:55 PM | Report abuse
Posted by: Joe | February 14, 2006 5:24 PM | Report abuse
Posted by: Grandma Linn | February 14, 2006 5:29 PM | Report abuse
Posted by: Bk | February 14, 2006 5:37 PM | Report abuse
Posted by: Distressed | February 14, 2006 7:49 PM | Report abuse
Posted by: Matt | February 14, 2006 8:01 PM | Report abuse
Posted by: Joe | February 14, 2006 10:09 PM | Report abuse
Posted by: Joe | February 14, 2006 10:11 PM | Report abuse
Posted by: Ishaan Prasad | February 14, 2006 11:42 PM | Report abuse
Posted by: Warner Crocker | February 15, 2006 12:19 AM | Report abuse
Posted by: Michael | February 15, 2006 11:58 AM | Report abuse
Posted by: Mikey | February 15, 2006 12:03 PM | Report abuse
Posted by: Mark Odell | February 15, 2006 3:06 PM | Report abuse
Posted by: re:Distressed No More | February 15, 2006 7:33 PM | Report abuse
Posted by: Scott | February 16, 2006 12:38 PM | Report abuse
Posted by: Anonymous | March 28, 2006 2:23 PM | Report abuse
Posted by: Vista | April 6, 2006 4:42 PM | Report abuse
Posted by: SilverDollar | April 20, 2006 3:31 PM | Report abuse
Posted by: art | April 20, 2006 10:09 PM | Report abuse
Posted by: Smart | April 28, 2006 2:47 PM | Report abuse
Posted by: Smart | May 20, 2006 1:42 AM | Report abuse
The comments to this entry are closed.