Network News

X My Profile
View More Activity

Microsoft Issues 7 Patches

Microsoft today released seven security updates for computers running its Windows operating system and other software. Two of the patches fix problems Redmond labeled critical, meaning the company believes the flaw could allow the propagation of an Internet worm that spreads on its own to vulnerable PCs without any action on the part of the user.

Windows users can download the fixes from Microsoft Update (Internet Explorer required), or set up their computers to receive patches automatically via automatic updates.

One of the critical updates mends a problem in IE that Security Fix alerted readers to last week; another flaw in the way the Web browser parses image files known as Windows meta files (those files created with a ".WMF" file extension.).

Microsoft said an attacker could host a Web page used to exploit this vulnerability against visitors. Alternatively, an Outlook Express user (Express is installed by default on most Windows PCs) could infect his or her machine by simply viewing an infected WMF file in the program's e-mail preview pane. However, according to Microsoft, this flaw is only exploitable on Windows 2000 PCs with Service Pack 4 installed.

The second critical patch addresses a problem in Windows Media Player. Microsoft classifies the flaw as critical on most recent standalone versions of the player, as well as the one built into older versions of Windows, including Windows 98, Windows 98 Second Edition (SE), and Windows Millennium Edition (ME).

According to eEye Digital Security, the company that reported the flaw to Microsoft, the vulnerability is present in "Media Player versions 7.1 through 10 that run on the following Windows operating systems: Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003."

In other Microsoft news, Redmond on Monday officially rolled out the next beta version of its anti-spyware program, now called Windows Defender. The updated version will obtain new anti-spyware definitions via Microsoft's automatic updates feature.

Windows Defender also will no longer flag "cookies" -- text-based files that Web sites place on visitors' computers for a variety of purposes, from identifying a returnee to tracking other sites the user views. Microsoft posted an explanation for changing its tune in cookies on its Windows Defender FAQ:

"Because many cookies are used for legitimate purposes, Microsoft plans to refine the approach to cookies based on customer feedback received during the beta period. You can currently manage cookies through your Web browser."

Microsoft has a Web page that explains what cookies do and how to manage them in IE. This site has a pretty good tutorial on cookie management for Mozilla Firefox users.

Update, 3:50 p.m. ET: It appears that many Windows users are having trouble using automatic updates to install one of the patches released today, MS06-007, which Microsoft has rated "important." Users can still download and install the patch directly from the advisory itself: just make sure to pick the one that applies to your version of Windows.

Also, I just had a conversation with Tom Liston, an incident handler with the SANS Internet Storm Center and a security consultant at Intelguardians, and he says Microsoft may be downplaying the seriousness of some of this month's vulnerabilities, particularly MS06-008, a flaw in the Windows Web Client Service that Microsoft rated "important" on most Windows versions.

"This is going to be catching people off guard, because they'll have the service enabled and won't know it," Liston said. "This 'un is the priority for patching... if you can patch nothing else, patch this one."

Another vulnerability patched today that Microsoft rated "important" -- a flaw in a "plug-in" for Windows Media Player that allows it to interact with non-Internet Explorer browsers -- was classified in an advisory by vulnerability monitoring service Secunia as "highly critical." In this case, the problem only applies to alternative browsers, as the vulnerable plug-in is not used by IE.

"Via the Windows Media Player plugin, [Microsoft] has managed to make Firefox, Netscape, Opera, etc... vulnerable to," security holes in Windows, Liston said.

By Brian Krebs  |  February 14, 2006; 1:45 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The New Face of Phishing
Next: 2005 Patch Times for Firefox and Internet Explorer

Comments

the articles you referenced about cookies are pretty lame. my advice is always keep cookies out of your system unless you are doing business with a trusted source. Cookies are the main source of prolems on windows machines.

Posted by: rick | February 14, 2006 2:23 PM | Report abuse

I am having trouble downloading the first patch. Is anyone else having the same issue? It fails during download. I have tried it several times.

Posted by: Rob_20854 | February 14, 2006 2:29 PM | Report abuse

Yes. KB913446 won't install via Windows Update. Download and install it manually (for XP) from
http://www.microsoft.com/downloads/details.aspx?FamilyID=7bb21d74-c37b-472b-bb10-71d4680680a7&DisplayLang=en

Posted by: only_me | February 14, 2006 2:34 PM | Report abuse

Brian, one quick comment about MS06-004. It only affects IE 5.01 SP4. No other versions of IE are vulnerable.

It is strongly recommended to update to IE6 SP1.

Posted by: Matt | February 14, 2006 2:56 PM | Report abuse

I believe -008 is rated important instead of critical because it requires valid credentials.

It is possible for an attacker to authenticate as guest if simple file sharing is enabled, but if you are exposing file and print sharing ports to the Internet with the guest account enabled, you have probably already been hit by something.

Posted by: Matt | February 14, 2006 4:55 PM | Report abuse

When I click the link to the article / blog about the patches, it first takes me to a blog entry / article from Brian about an Antispyware conference. It gives just enough time (on dialup) to start reading that when it redirects to the patch article??? Odd behavior no?

Posted by: Joe | February 14, 2006 5:24 PM | Report abuse

Brian,
Thank you so much. Without the link you provided I'd never have known how to download KB913446 without any problem. That little yellow shield might have taken up permanent residence in the bottom tool bar!
You are also my only source for Firefox update arrivals: nothing pops up or blinks or changes color to let me know from Mozilla. But, thanks to you, I'm all up-to-date.

Posted by: Grandma Linn | February 14, 2006 5:29 PM | Report abuse

Joe -- That was a mistake in the link. It should be corrected shortly. We changed the location of Security Fix recently from http://blogs.washingtonpost.com/securityfix to http://blog.washingtonpost.com/securityfix

Posted by: Bk | February 14, 2006 5:37 PM | Report abuse

Thanks for the blog! I raced to the Microsoft website to update my computer and successfully downloaded all the patches except the one for XP. I have tried several times to update the XP patch and keep getting Error Code: 0x80242006.

Anyone else found a workaround?

Posted by: Distressed | February 14, 2006 7:49 PM | Report abuse

here's an update from the MSRC on the -007 patch that is failing to install through WU/MU.

http://blogs.technet.com/msrc/archive/2006/02/14/419572.aspx

Posted by: Matt | February 14, 2006 8:01 PM | Report abuse

Brian, Thanks for the info on the link. I figured it had to be something out of kilter. And to Rick about cookies: If you try not accepting them it turns into a fiasco. Constantly being asked about them is a real pain. If you keep the Security updates and virus definition current, use SpyBot, Adaware etc., pay attention to Phishing e-mails, you shouldn't have problems with cookies or much else.

Posted by: Joe | February 14, 2006 10:09 PM | Report abuse

Re the KB913446 update. It worked when I did it by itself. Failed when tried the whole list at once.

Posted by: Joe | February 14, 2006 10:11 PM | Report abuse

WMF vulnerability was found in Antiviruses as well ?

Posted by: Ishaan Prasad | February 14, 2006 11:42 PM | Report abuse

The faild hotfix wouldn't work with the automatic updates as a part of the list or separately here. The manual install referenced earlier in the comments does work however.

Posted by: Warner Crocker | February 15, 2006 12:19 AM | Report abuse

So, it seems a bit crazy to have an OS that has flaws that allows hackers to get into your computer. But an OS that has these flaws, plus flaws in the system they set up to fix the original flaws?!?!? (KB913446)

This sounds like the Old Woman who swallowed the fly.

Posted by: Michael | February 15, 2006 11:58 AM | Report abuse

>>> Cookies are the main source of prolems on windows machines. <<<

Did someone really say that?

Posted by: Mikey | February 15, 2006 12:03 PM | Report abuse

Joe wrote:
>>And to Rick about cookies: If you try not accepting them it turns into a fiasco. Constantly being asked about them is a real pain.

You only have to try not accepting the third-party ones.
http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#privacy

Posted by: Mark Odell | February 15, 2006 3:06 PM | Report abuse

Got a really quick response from Microsoft after having trouble downloading the XP patch.

At this time, I suggest that we install this update directly to check the result. For your reference, I have listed the detailed steps below.

1. Please download the update to the Desktop. For your convenience, I
have listed the link of the update below:

http://download.microsoft.com/download/1/a/a/1aa60d30-9cb8-4fc8-bb79-21e
0420a76ed/WindowsXP-KB913446-x86-ENU.exe

2. Double click the downloaded file and install the update you have downloaded.

After finishing the above steps, please try to access the Windows Update site again to see whether you have successfully installed the update.

Worked like a charm!

Posted by: re:Distressed No More | February 15, 2006 7:33 PM | Report abuse

This round of updates "broke" the printing drivers for our Dell Inspiron 1300 laptops using the new HP 1020 LaserJets. No mention on either HP or Microsoft's web site but a roll-back resolved the issue so it's definitely patch-related.

Posted by: Scott | February 16, 2006 12:38 PM | Report abuse

pavjzxz9-302974976

Posted by: Anonymous | March 28, 2006 2:23 PM | Report abuse


Posted by: Vista | April 6, 2006 4:42 PM | Report abuse

Ilikeyoursite!)))[URL=http://20six.de/americansilverdollarea]buy-phentermine-online[/URL]visit my home page! Webmaster - recpect!!!

Posted by: SilverDollar | April 20, 2006 3:31 PM | Report abuse

Very good site, congratulations! horse art

Posted by: art | April 20, 2006 10:09 PM | Report abuse

I am smart auto posting. We are posting from auto machine.

Posted by: Smart | April 28, 2006 2:47 PM | Report abuse

I am smart auto posting. We are posting from auto machine.

Posted by: Smart | May 20, 2006 1:42 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company