12 Microsoft Patches Plug 21 Security Holes
Microsoft today released a dozen security updates to fix at least 21 vulnerabilities in its Windows operating system and other software, including 12 flaws Redmond labeled "critical," its most severe warning level.
Today's patch bundle is the largest yet for 2006, and includes a huge patch rollup that mends at least eight different flaws -- four of them critical -- in nearly all versions of Microsoft's Internet Explorer Web browser. Microsoft considers a vulnerability "critical" if attackers could exploit it without any action on the part of the victim. As such, critical flaws in IE are especially dangerous because they expose users to the risk of having their computer completely hijacked by the bad guys just by inadvertently visiting a malicious Web site or clicking on a link that redirects them to one.
Microsoft noted in its advisory that instructions showing would-be attackers precisely how to exploit at least two of the IE vulnerabilities have already been published online, though the company said it was not aware of any ongoing attacks that leverage either exploit.
Microsoft numbers its patches sequentially each month, starting with those that fix the most dangerous flaws. The one following the IE patch corrects a problem in the way Windows renders image files ending in ".ART", an image format most commonly used by America Online. Microsoft said an attacker could exploit the vulnerability with a specially crafted image viewable through a Web browser or e-mail reader. This flaw affects nearly all versions of Windows, including Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME. Not sure whether this presents any more of a problem for AOL Internet subscribers or for AOL Instant Message users, but I was chatting with SANS Internet Storm Center handler chief technology officer Johannes Ullrich and he brought up a good point: "I could see this getting abused with malformed AIM buddy icons." Yikes.
The next critical update patches a flaw in just about every version of Windows Media Player that Microsoft ever shipped. Yet another patch covers two critical flaws in Microsoft's "Routing and Remote Access" service. Microsoft says this service is designed to let companies using its server products access their Intranet from the greater Internet. Having a critical flaw in this service doesn't sound like good news for companies who use Microsoft server products and have employees who work from home: Most organizations take several weeks to test security updates before deploying them across their networks, mainly to ensure that applying the fix won't break other applications.
One odd "critical" update fixes a problem in Microsoft's graphics-rendering software that apparently is only present in older versions of Windows, specifically Windows 98, 98 SE and ME. This kind of flaw found exclusively in older versions of Windows is a tad alarming, given that Microsoft will stop shipping critical patches like these on July 11, when it officially ends support for those operating systems.
Microsoft's advisory on this flaw is worded so as to indicate the fix for this vulnerability may not be available for a short time. If you use one of the older operating systems and have trouble downloading this patch, please drop me a line or leave a note in the comments section below.
Today's patch bundle also includes an update that Microsoft promised last month to plug a security hole in Microsoft Word that hackers have been using to conduct highly targeted attacks designed to steal sensitive information. According to Microsoft, this flaw affects Word 2000, Word XP, Word 2003, and Microsoft Works suites for each year from 2000 to 2006. Contrary to earlier statements by Microsoft, the flaw also is present in Word Viewer 2003 (Microsoft had previously said that Word Viewer users did not have to fear this flaw).
Microsoft also issued a patch to plug a critical flaw in Powerpoint that attackers could use to seize control over computers just by convincing someone to open a specially crafted presentation (.PPT) file. The vulnerability is present in all versions of Powerpoint shipped with Microsoft Office 2000, Office XP, Office 2003, as well as Office 2004 for Mac and Office v.X for Mac.
Microsoft also issued updates to fix five other vulnerabilties that earned its "important" rating, but I'll spare readers the details on those for the moment. Just know that while these flaws may not have earned Microsoft's most severe rating, they still could allow viruses or online attackers to infiltrate and/or hijack your computer.
Patches are available via the Microsoft Update Web site or by activating Automatic Updates. Office 2000 users please take note: You will need to also visit Microsoft's Office Update site to download the Office patches separately. Be sure you have your Office 2000 installation CD handy when you do, however, as it the site usually asks you to pop it into your computer before it will successfully install the updates.
Update, 4:22 p.m. ET: I updated the first paragraph of this post to correct the number of critical vulnerabilities fixed in this patch bundle: I originally said there were 11 critical flaws, but it turns out I had counted the Remote Access flaw as one, when it in fact fixes two separate flaws that are considered critical on Windows 2000 systems.
June 13, 2006; 3:01 PM ET
Categories: New Patches
Save & Share: Previous: Spam Spotted Using TinyURL
Next: More Windows Exploits Out; Hacker Wins $10K Challenge
Posted by: John Johnson | June 13, 2006 3:59 PM | Report abuse
Posted by: Steve Mullen | June 13, 2006 4:48 PM | Report abuse
Posted by: Elenita | June 13, 2006 4:57 PM | Report abuse
Posted by: Bk | June 13, 2006 5:05 PM | Report abuse
Posted by: peter canuk | June 13, 2006 6:15 PM | Report abuse
Posted by: SpamSlayer | June 13, 2006 6:43 PM | Report abuse
Posted by: Bk | June 13, 2006 6:50 PM | Report abuse
Posted by: Catawba | June 13, 2006 9:29 PM | Report abuse
Posted by: Luke | June 13, 2006 11:17 PM | Report abuse
Posted by: skylinr | June 14, 2006 1:02 AM | Report abuse
Posted by: Dominic White | June 14, 2006 5:23 AM | Report abuse
Posted by: Frank C | June 14, 2006 9:59 AM | Report abuse
Posted by: Bk | June 14, 2006 11:00 AM | Report abuse
Posted by: TAA | June 14, 2006 11:27 AM | Report abuse
Posted by: Ken L | June 14, 2006 12:10 PM | Report abuse
Posted by: John Dublin | June 14, 2006 12:38 PM | Report abuse
Posted by: John Dublin | June 14, 2006 12:49 PM | Report abuse
Posted by: Kevin | June 14, 2006 2:34 PM | Report abuse
Posted by: John Johnson | June 14, 2006 5:29 PM | Report abuse
Posted by: Nancy | June 14, 2006 9:27 PM | Report abuse
Posted by: John Debaker | June 14, 2006 9:30 PM | Report abuse
Posted by: John Dublin | June 17, 2006 2:32 PM | Report abuse
Posted by: pshelly | July 6, 2006 11:01 AM | Report abuse
Posted by: pshelly | July 6, 2006 3:21 PM | Report abuse
Posted by: David Banks | July 9, 2006 9:37 AM | Report abuse
Posted by: Maxxximus | July 26, 2006 2:34 AM | Report abuse
Posted by: GJ | September 30, 2006 9:47 AM | Report abuse
The comments to this entry are closed.