Network News

X My Profile
View More Activity

12 Microsoft Patches Plug 21 Security Holes

Microsoft today released a dozen security updates to fix at least 21 vulnerabilities in its Windows operating system and other software, including 12 flaws Redmond labeled "critical," its most severe warning level.

Today's patch bundle is the largest yet for 2006, and includes a huge patch rollup that mends at least eight different flaws -- four of them critical -- in nearly all versions of Microsoft's Internet Explorer Web browser. Microsoft considers a vulnerability "critical" if attackers could exploit it without any action on the part of the victim. As such, critical flaws in IE are especially dangerous because they expose users to the risk of having their computer completely hijacked by the bad guys just by inadvertently visiting a malicious Web site or clicking on a link that redirects them to one.

Microsoft noted in its advisory that instructions showing would-be attackers precisely how to exploit at least two of the IE vulnerabilities have already been published online, though the company said it was not aware of any ongoing attacks that leverage either exploit.

Microsoft numbers its patches sequentially each month, starting with those that fix the most dangerous flaws. The one following the IE patch corrects a problem in the way Windows renders image files ending in ".ART", an image format most commonly used by America Online. Microsoft said an attacker could exploit the vulnerability with a specially crafted image viewable through a Web browser or e-mail reader. This flaw affects nearly all versions of Windows, including Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME. Not sure whether this presents any more of a problem for AOL Internet subscribers or for AOL Instant Message users, but I was chatting with SANS Internet Storm Center handler chief technology officer Johannes Ullrich and he brought up a good point: "I could see this getting abused with malformed AIM buddy icons." Yikes.

Another critical update released today fixes a problem with Microsoft's implementation of Javascript, a powerful Web programming language that many sites use (bad guys also have been known to use Javascript flaws to install nasty programs.) Redmond notes that this patch is meant to be installed alongside the IE bundle.

The Javascript flaw also is present in Windows Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME.

The next critical update patches a flaw in just about every version of Windows Media Player that Microsoft ever shipped. Yet another patch covers two critical flaws in Microsoft's "Routing and Remote Access" service. Microsoft says this service is designed to let companies using its server products access their Intranet from the greater Internet. Having a critical flaw in this service doesn't sound like good news for companies who use Microsoft server products and have employees who work from home: Most organizations take several weeks to test security updates before deploying them across their networks, mainly to ensure that applying the fix won't break other applications.

One odd "critical" update fixes a problem in Microsoft's graphics-rendering software that apparently is only present in older versions of Windows, specifically Windows 98, 98 SE and ME. This kind of flaw found exclusively in older versions of Windows is a tad alarming, given that Microsoft will stop shipping critical patches like these on July 11, when it officially ends support for those operating systems.

Microsoft's advisory on this flaw is worded so as to indicate the fix for this vulnerability may not be available for a short time. If you use one of the older operating systems and have trouble downloading this patch, please drop me a line or leave a note in the comments section below.

Today's patch bundle also includes an update that Microsoft promised last month to plug a security hole in Microsoft Word that hackers have been using to conduct highly targeted attacks designed to steal sensitive information. According to Microsoft, this flaw affects Word 2000, Word XP, Word 2003, and Microsoft Works suites for each year from 2000 to 2006. Contrary to earlier statements by Microsoft, the flaw also is present in Word Viewer 2003 (Microsoft had previously said that Word Viewer users did not have to fear this flaw).

Microsoft also issued a patch to plug a critical flaw in Powerpoint that attackers could use to seize control over computers just by convincing someone to open a specially crafted presentation (.PPT) file. The vulnerability is present in all versions of Powerpoint shipped with Microsoft Office 2000, Office XP, Office 2003, as well as Office 2004 for Mac and Office v.X for Mac.

Microsoft also issued updates to fix five other vulnerabilties that earned its "important" rating, but I'll spare readers the details on those for the moment. Just know that while these flaws may not have earned Microsoft's most severe rating, they still could allow viruses or online attackers to infiltrate and/or hijack your computer.

Patches are available via the Microsoft Update Web site or by activating Automatic Updates. Office 2000 users please take note: You will need to also visit Microsoft's Office Update site to download the Office patches separately. Be sure you have your Office 2000 installation CD handy when you do, however, as it the site usually asks you to pop it into your computer before it will successfully install the updates.

Update, 4:22 p.m. ET: I updated the first paragraph of this post to correct the number of critical vulnerabilities fixed in this patch bundle: I originally said there were 11 critical flaws, but it turns out I had counted the Remote Access flaw as one, when it in fact fixes two separate flaws that are considered critical on Windows 2000 systems.

By Brian Krebs  |  June 13, 2006; 3:01 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Spam Spotted Using TinyURL
Next: More Windows Exploits Out; Hacker Wins $10K Challenge

Comments

Speaking of updates, a Windows Genuine Advantage pop-up informs me that Microsoft support for Windows XP SP1 ends October 10, 2006.

(I haven't updated this month's patches yet.)

Posted by: John Johnson | June 13, 2006 3:59 PM | Report abuse

Note that Microsoft recommends installing MS06-022 AND MS06-023 alongside the IE bundle (MS06-021).

Posted by: Steve Mullen | June 13, 2006 4:48 PM | Report abuse

For Mac users reading this, the easiest way to get the Powerpoint patch (as well as any others you might have missed, given that Office doesn't address security updates in the usual Mac way) is to:

1. Open any Office application.

2. Open the Help menu and click on Downloads and Updates.

3. Scroll to the appropriate version of Office, and follow the directions on their website.

Unfortunately, there is no quick and easy way to discover which security updates you already have installed, so you may need to spend some time reading. Also note that all Office security updates require an Administrator's password to be installed.

Hope this helps!

Posted by: Elenita | June 13, 2006 4:57 PM | Report abuse

Thanks for the pointers Elenita.

I also should note that anyone looking to patch their version of Microsoft Works will have to manually download the patches from the links in the Msft advisory at:

http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx

Posted by: Bk | June 13, 2006 5:05 PM | Report abuse

At some point in the near future it will be time to pay for Xp since they have now fixed about 75 percent of the nasty issues.

Posted by: peter canuk | June 13, 2006 6:15 PM | Report abuse

Brian Krebs wrote:
"Office 2000 users please take note: You will need to also visit Microsoft's Office Update site to download the Office patches separately. Be sure you have your Office 2000 installation CD handy when you do, however, as it the site usually asks you to pop it into your computer before it will successfully install the updates."


Actually, if you upgrade to 'Microsoft Update' (vs. 'Windows Update'), you'll be able to get all the Office updates while visiting Microsoft's update web page.

Upgrading to 'Microsoft Update' places a new icon at the top of your Start Menu... you can delete the old 'Windows Update' icon once you've upgraded.

And, if you visit the Office Update site and tell it to download the larger patches, you shouldn't have to dig out your Office installation CDs, even when dowloading patches from the Windows Update web page. I haven't used mine in ages. The downloads are larger, but with broadband, it's not an issue.

Posted by: SpamSlayer | June 13, 2006 6:43 PM | Report abuse

SpamSlayer, I think you might be misinformed about the Office 2000 patches. Yes, you can get Office updates through Microsoft update, but patches for Office 2000 are NOT available through Microsoft or Windows Update. Office 2k users must visit Office Update to get their patches.

Posted by: Bk | June 13, 2006 6:50 PM | Report abuse

I haven't found that Microsoft's automatic updating actually takes place on the dates that they announce. Maybe it's something about time zones? I have my computer set to automatically download & install updates at 3 AM Eastern time.

Posted by: Catawba | June 13, 2006 9:29 PM | Report abuse

hey, thanks for the info. I'm a first time user f this site.. ill be using it more often thanks

Posted by: Luke | June 13, 2006 11:17 PM | Report abuse

I stopped using MS's automatic update system a few years ago. I had a new computer running WinME (I know, I know, but they sold me the box with the dumb OS on it already...) The computer would boot up OK but everything after that could only be described as demonic. Some detective work revealed that the automatic updates had failed to install in 9 (nine!) different attempts. More detective work revealed that one of the patches was supposed to be installed separately - not an uncommon instruction.
I ran update manually, first installing that patch, rebooting, then installing the rest. This time it worked. The crippling hourly freezes ended, and I began a reasonable, if not ideal relationship with WinME.
But it was the end of my faith in M$ automatic updates.

Posted by: skylinr | June 14, 2006 1:02 AM | Report abuse

Nice round-up, feel like making it a regular service?

Posted by: Dominic White | June 14, 2006 5:23 AM | Report abuse

Would you please consider putting a date
and time prominently at the top of each posting?
Thanks
Frank C

Posted by: Frank C | June 14, 2006 9:59 AM | Report abuse

Dominic -- Nice to see you. Not sure what you mean though? I do roundups like these every month when Microsoft releases patches.

Frank C -- The date and time are stamped at the top of each blog post. If you are viewing the "comments" version of the post, the time and date stamp are just above where the comments begin. See this post begins with:

Posted at 03:01 PM ET, 06/13/2006
12 Microsoft Patches Plug 21 Security Holes

And the version of this post that displays comments ends with:

By Brian Krebs | June 13, 2006; 3:01 PM ET | Category: New Patches
Previous: Spam Spotted Using TinyURL |

Posted by: Bk | June 14, 2006 11:00 AM | Report abuse

Does anyone know if there is an easy way to bring your computer up to date after re-staging it? For instance, my computer is starting to bog down and I would like to reload Windows XP from the source CD. The problem is, I then have to spend hours (even with a high speed connection) downloading all the Windows patches and updates since I bought the original disc.

Posted by: TAA | June 14, 2006 11:27 AM | Report abuse

To TAA: order the XP Service Pack 2 CD from MS. It has both SP1 and SP2 on it. You will still need your original XP CD and You still have to download the post-SP2 updates, but you'll cut a couple of hours off your re-staging.

The CD was free for a while after SP2's release. Currently the cost is $1.65 plus tax for a U.S. shipping address (for me the tax was $0.13).

http://www.microsoft.com/windowsxp/sp2/default.mspx

Posted by: Ken L | June 14, 2006 12:10 PM | Report abuse

AS it happened I was trying to manually update Windows when it failed, telling me that auto update was in progress. So I stopped until update was finished. I was then informed that priority update "Genuine Advantage Notication K905474" had failed. So after rebooting I tried again several times but each time it fails! My copy of XP is genuine as verified by Microsoft previously.

Has anyone else had this problem?

Posted by: John Dublin | June 14, 2006 12:38 PM | Report abuse

Having just posted the above remarks, I decided to check my History page on Microsoft and discovered that K905474 was downloaded on May 9th last!!

What are Microsoft up to?? I thought that they checked your computer before telling you what patches were required! Time-wasters is the polite phrase of what I think of them!!

Posted by: John Dublin | June 14, 2006 12:49 PM | Report abuse

Take note that Microsoft has done a great job in the past several years of taking control of security, just as they said they would. There is no software product that is 100% secure and they have made leaps and bounds to handle the volume of attacks launched daily on such a large platform with enormous web presence. Taking that into consideration, I am comfortable with them making sure I have the latest security patches on my machines, more than I would on other operating systems.

Posted by: Kevin | June 14, 2006 2:34 PM | Report abuse

Another thing about upgrading Windows Service Packs, is that computer-company-specific patches may need to be applied. I have been preparing to install SP2, and needed to install a number of HP patches from HP's web site.

Posted by: John Johnson | June 14, 2006 5:29 PM | Report abuse

About the windows geniune key...I dont have it I failed...Do I still get those updates that are critical?
Please explain.
Thank you

Posted by: Nancy | June 14, 2006 9:27 PM | Report abuse

I'm surprised that you would write an article like this and fail to mention OpenOffice, which replaces Word, Excel and Powerpoint, and Firefox, which replaces Internet Explorer. Both are free.

Posted by: John Debaker | June 14, 2006 9:30 PM | Report abuse

Nancy

Read my posts, you may be seeing the same thing as I did. Check in your Add/Remove items in the Control Panel and you will probable find that you have already downloaded it in May!

Posted by: John Dublin | June 17, 2006 2:32 PM | Report abuse

I do regular spyware and AV checks on my PC and it runs good.
BUT, as soon as I did the newest critical updates (XP) my IE acted up. The homepage came up fine, but as soon as I typed in another address, a new window opens up blank and flashes (real quick) the page it is to load, but stays blank. I can not close out the 2 pages normally. I have to use task manager and repeatedly hit end task (tons of times), before the pages close. On the other hand, I can use firefox and it works fine...go figure! I'd rather use IE.

Does anyone know which of the latest criticals would cause this problem? Everything goes fine if I do a system restore back to before the updates.
Also, I've run sfc /scannow and also done 2 XP repair installs.
Thanks

Posted by: pshelly | July 6, 2006 11:01 AM | Report abuse

I finally found the BAD update KB916281 and that was the culprit causing all the problems, it took me almost 2 hours on DSL to do all the seperate critical updates till that one. Does anyone else have problems with that update?
My PC runs fine now that I eliminated that patch.

Posted by: pshelly | July 6, 2006 3:21 PM | Report abuse

I've had same problem as pshelly, my computer completely messed up after security updates. kept rebooting at random -sometimes rebooting every few minutes! until I removed last updates. But some of the updates can't be found in the add/remove folder (although I can see evidence they were installed - including your KB916281) perhaps I shouldn't have done a system restore which didn't help me anyway? I am afraid to update again! so my automatic update is turned off (note that Norton security turned it back on when first installed so I had the problem twice!)do you have to uninstall these updates in order of date/time download? My computer is stll not 100% and won't let me do a full system scan with norton - it reboots half way through!

Posted by: David Banks | July 9, 2006 9:37 AM | Report abuse

After repeated failures to install MS Patch KB916281 on my XP system. I discovered that I was receiving Error Code: 0x80242008 which MS has little to say about.

This is what worked in my case.

I had moved my Program Files Directory to my D:/ drive using TweakUI some time ago and have found this causes troubles time and again applying MS patches properly.

Steps Taken:
1. Move Program Files directory back to C: drive using TweakUI.
2. Install KB916281 using Windows Update
3. Copy all files & directories from C:\Program Files\Internet Explorer\ directory
4. Paste and ovewrite files in the 'Tweaked' D:\Program Files\Internet Explorer\ directory. (Recommend creating a Restore point before doing this!)
5. Move Program Files directory back to D: drive using TweakUI.
6. Try Windows Update again and Voila!

I still cannot understand how MS does not take into account that not all people have their Program Files directory on the original C: drive.

I hope this helps many others like myself.
Maxxximus
funbox@hotsnapz.com

Posted by: Maxxximus | July 26, 2006 2:34 AM | Report abuse

I've experience a significant decrease in speed and function of internet explorer after downloading critical update KB916281 to a Windows 98 system. Now typically encounter "Error on Page", as well as excruciatingly slow page loads, which result in "Web Page Not Available". MS customer support told me to shove off...that support for Win 98 ended July 11, 2006. The rep told me to search the MS website for the solution to the problem. Good idea if one is a comp geek who has a computer that is functional. A pitiful passing of the buck for one who is unsavvy and has a computer that is barely functioning after downloading a critical MS Update. Any suggestions for restoration of the former usefulness of this dinosaur? The rep also had another epiphanetic idea...update to XP. Why would anyone want to contribute to the coffers of a company that fails to provide assistance for a problem resultant from its support software download? Thinking the cure is much worse than the disease...remove the downloaded update?

Posted by: GJ | September 30, 2006 9:47 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company