Microsoft Patches 18 Security Flaws in Windows, Office
Microsoft Corp. today released seven security updates to address 18 separate flaws in its Windows operating systems and Office software, including 13 problems that earned a "critical" severity rating, the company's most dire.
Microsoft labels a security hole as "critical" if it can be used to hijack vulnerable machines without any action on the part of the user. All but two of the flaws addressed in today's patches can be exploited on some version of either Microsoft Office or Windows to let attackers seize total control over a vulnerable system.
Three of the patches mend flaws in Microsoft Office, including eight specific to Microsoft Excel. As Security Fix noted in recent posts, software blueprints showing would-be attackers just how to exploit two of these Excel flaws are already available online.
The most serious of the Excel vulnerabilities affect versions found in Microsoft Office 2000. Unfortunately, patching this older version of Office takes a few more manual steps These users will need to fire up Internet Explorer and mosey on over to Microsoft's Office site and click on "Check for Updates" in the upper right-hand corner of the page.
If you are an Office 2000 user and have never installed an Office update before, you are in for a real treat. There are no fewer than three service packs (bundles of patches) worth of updates to install, and you will need to have your Office installation CD handy, as the Office patch installer will prod you to drop it into your CD-Rom drive at some point. Remember, if you're using Windows 2000, even if you have Windows configured to download and install patches automatically, the Office updates won't be installed. Whatever you do, don't put off installing these important fixes: Microsoft has acknowledged that hackers already are exploiting at least some of them to break into computers or steal information from victims.
Users of Microsoft Office XP or Office 2003 have it much easier -- they can quickly download the updates from Microsoft Update, the same place where Windows patches are made available. These vulnerabilities also are present in Microsoft Works Office 2004 for Mac systems, as well as in Office v. X for Mac. Users of those products can download the fixes directly from this link here.
One critical vulnerability fixed today that appears very serious is a critical flaw in the Windows DHCP service, which handles assigning the computer an Internet address when it first boots up or connects to a network. This vulnerability is present in fully patched versions of Windows 2000, Windows XP and Windows Server 2003.
Another dangerous security hole resides in the Windows "Mailslot" function, which handles certain communications traffic between Windows machines on the same network. Computer security company Symantec said it considers this flaw the most critical of today's security bulletins, as it could be used to rapidly compromise multiple systems within a network. This problem exists in all Windows 2000, XP and Server 2003 systems.
Under its support policy, today was to mark the last time Microsoft would ship security updates for Windows 98, Windows 98 Second Edition (SE), and WIndows Millenium Edition (ME) systems. As it happens, none of today's updates address those older OSes, unless you count the vulnerabilities in Microsoft Office, which could be (and probably are) running on millions of Windows 98 and ME machines.
Earlier today, Security Fix posted the results of a series of tests on which security software titles still play nice with Windows 98/ME, so if you're considering sticking with one of these operating systems for some time, you may want to check it out.
Update, 4:26 p.m. ET: The SANS Internet Storm Center echoes Symantec's concern over the seriousness of the Mailslot flaw. They note that it was co-discovered by Pedram Amini from TippingPoint and H D Moore from the the Metasploit Project, the latter of which offers system administrators a free, automated way to test whether their networks are vulnerable to certain security holes. Unfortunately, bad guys use this open-source tool as well, and the Metasploit team has a consistent track record of releasing working exploits for flaws they discover shortly after patches are released to fix them.
Posted by: George S. | July 11, 2006 6:48 PM | Report abuse
Posted by: fermata | July 12, 2006 12:26 PM | Report abuse
Posted by: Joe | July 12, 2006 1:09 PM | Report abuse
Posted by: Bk | July 12, 2006 1:38 PM | Report abuse
Posted by: Don | July 12, 2006 2:35 PM | Report abuse
Posted by: Pete from Arlington | July 13, 2006 11:15 AM | Report abuse
Posted by: S. H. | July 13, 2006 4:32 PM | Report abuse
Posted by: Michelle | July 14, 2006 11:13 AM | Report abuse
Posted by: Carlos | July 16, 2006 9:13 AM | Report abuse
Posted by: Rod S. | July 17, 2006 2:04 AM | Report abuse
The comments to this entry are closed.