Network News

X My Profile
View More Activity

Microsoft Fixes 23 Security Flaws

Microsoft Corp. today released free software updates to fix nearly two dozen security holes in its Windows operating system and Microsoft Office products. At least 17 of the 23 flaws could be exploited by attackers to hijack vulnerable systems or to install malicious code, the company warned.

Dig through the details of the advisories and you will see that instructions showing would-be attackers how to exploit at least nine of the flaws have already been posted online. Microsoft also said it has seen at least three of the flaws being actively exploited in the wild. As usual, updates are available via Microsoft Update (Internet Explorer required) or through automatic updates.

Microsoft typically lists its security advisories each month in the order of most to least severe, and the first flaw detailed in today's patch bundle fixes a problem in the Windows "server service," which facilitates file-sharing among Windows systems that reside on the same network. This highly "wormable" bug is mainly a big deal for businesses, since it is most severe on Windows 2000 systems (most common in corporate environments). Also, many Internet service providers filter file-sharing requests between customers, but file-sharing is almost always turned on inside corporate networks.

The SANS Internet Storm Center, which was credited in part with the discovery of this flaw, reported evidence of it being exploited publicly as early as June 30. According to SANS, Microsoft replied that it was already aware of the flaw at that time. I understand the Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) is set to release more information about this flaw later today. Of course, Security Fix will update this blog in the event that the DHS advisory adds any new wrinkles.

The next most serious advisory details two very dangerous vulnerabilities resident in Windows 2000, Windows XP and Windows Server 2003 that attackers could exploit merely by inducing a user to visit a malicious Web site. Microsoft said these flaws also could be exploited when a user opens a specially crafted e-mail or views one in the e-mail preview pane.

It wouldn't be a Patch Tuesday without a huge rollup for Microsoft's default Web browser. The IE patch fixes a total of eight vulnerabilities, five of which are especially serious -- depending on which version of the browser you're using and which version of Windows. One of the IE glitches, a problem with the way file transfers work, was originally reported to Microsoft in 2004.

Microsoft also fixed three critical vulnerabilities in versions of its Office software, including two that are actively being exploited to break into and steal information from vulnerable computers. One fixes Office 2000, Office XP and Office 2003, as well Microsoft Office and Powerpoint versions for Mac OS X (see the advisory for Mac Office download links). The second update addresses flaws in Office 2000 and XP, as well as Microsoft Project, Visio, Works and Visual Basic (see the advisory for links to those individual products).

Keep in mind that if you are using Office 2000 you will not be able to get those fixes through Microsoft Updates or through automatic updates. Office 2000 users will need to visit Microsoft's Office site and click on the "check for updates" link in the upper right corner of the screen. Office 2000 users who do not have their installation CD handy should be able to install the updates by choosing "no" at the "Do you have your Office product CD?" prompt.

Update, Wednesday, 3:47 p.m. ET: A couple of notes on these patches. While Microsoft has indeed given Office 2000 users a way to patch without having the CD handy, that method failed for me and for others who commented below. As one reader suggested, users who have trouble updating can download the patches manually from the following two links:

Please leave a comment if the manual download/install of the Office updates failed for you. It worked for me.

Also, the Department of Homeland Security issued a press release urging people and businesses not to put off patching the Windows server problem (the first patch I mentioned in the main post above).

The DHS statement reads, in part: "Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users."

DHS apparently is eager to head off another worm like "Zotob" one that surfaced about this time last summer, which exploited a very similar flaw to wreak havoc on the internal networks of several high-profile companies just days after Microsoft released a patch.

By Brian Krebs  |  August 8, 2006; 3:08 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: DefCon Delays Can't Stop the Madness
Next: Apple Mac Pro Users Urged to Apply Security Updates


Any info on whether these are as buggy as the last batch of patches?

Posted by: S. H. | August 8, 2006 4:14 PM | Report abuse

S.H- that will take a few days to find out probably.

Posted by: Bk | August 8, 2006 4:26 PM | Report abuse

>Any info on whether these are as buggy as the last batch of patches?<

It's tempting to have a policy of waiting for a week, just to be on the bug-safe side.

Posted by: John Johnson | August 8, 2006 4:59 PM | Report abuse

I've installed macromedia flash uninstall, but the nag flash installation returns. Any help?

Posted by: Mike Goldhamer | August 8, 2006 5:13 PM | Report abuse

I use this newsgroup site :

as an early event warning for buggy patches- those with problems seem to show up there pretty quick.
My own testing environment is all about vmware.

Posted by: malign | August 8, 2006 5:17 PM | Report abuse

Office Updates: I have Office 2000. When I go to OFFICE UPDATES , I'M told I have 2 updates. When I click on "agree and Install", nothing happens -- no errors. Is there a problem with the update program. I tried serching for the KB files for the updates, no luck.

Posted by: Mike Goldhamer | August 8, 2006 5:27 PM | Report abuse

Like Mike Goldhammer...Office Updates: I have Office 2000. Problems with updates. When I go to OFFICE UPDATES , I'M told I have 2 updates. When I click on "agree and Install",
it starts process, accepts my Office CD,
blue hits right side, and bam...message that
"updates are unsuccessful"! Any ideas or should I wait a while and retry.....

Posted by: Powers | August 8, 2006 5:42 PM | Report abuse

"It's tempting to have a policy of waiting for a week, just to be on the bug-safe side."

No it isn't. That's what testing is for. If you sit around waiting for others to report bugs, that's just more time for you to get hit by an exploit.

Posted by: Matt | August 8, 2006 6:52 PM | Report abuse

I like to download the updates to my Linux machine, using Firefox, and then install them on our remaining Windows boxes as scheduling and testing permit.

Here is the URL for the MS TechNet August summary, which lists each update with the software to which it applies:

There are download links to the updates, also.

There is a general page that gives access to the more technical versions of the monthly bulletins:

Posted by: Rich Gibbs | August 9, 2006 12:20 AM | Report abuse

It seems that these might be a bit buggy for users of Office 2007 Beta.

We've had Outlook 2007 Beta become completely unusable on several machines after the latest patches were applied. We finally had to re-run the installer as the Office Diagnostics app failed to find any problems.

Posted by: Craig Bury | August 9, 2006 3:34 AM | Report abuse

I was having problems with Office 2000 updates, but thanks to Rich Gibbs email
above with links...I was able to manually download and install patches. Many Thanks.

Posted by: Powers | August 9, 2006 8:24 AM | Report abuse

KB918899 IE6 cumalative update kills AOL 9.0 running WIN2000 Pro on a AMD K7. AOL loads and after signing on it shuts down. Had to uninstall update to get working again but now it has no IE6 updates at all.

Posted by: Larry Burk | August 9, 2006 1:22 PM | Report abuse

Ironically, today's cumulative update for IE6 causes IE to crash every time I access the Post website (confirmed by uninstalling the patch, checking site, then reinstalling).

Posted by: hkl | August 9, 2006 1:55 PM | Report abuse

Did read that correctly? Did MS finally eliminate the need to pull out your install CDs every time you need to patch Office?

Posted by: Jim | August 9, 2006 2:09 PM | Report abuse

Did read that correctly? Did MS finally eliminate the need to pull out your install CDs every time you need to patch Office?

Posted by: Jim | August 9, 2006 2:10 PM | Report abuse

Jim -- Yes, you did. However, it doesn't appear to work correctly, as I experienced first hand today, and as others have pointed out. I intend to update the blog shortly to point out that fact, and to a statement released by the Dept of Homeland Sec.

Posted by: Bk | August 9, 2006 3:32 PM | Report abuse

At the present rate of delivering patches, it won't be too much longer before the microsoft OS is nothing but patches.

Posted by: rcjansen | August 9, 2006 5:47 PM | Report abuse

For Powers,Goldhamer and Office 2000 users with discs. I went to Office Update. My initial try got the error message after downloading "successfully" but installing wouldn't go. A second try from square one, with Disc #1 in place before starting, worked fine. When it asked for disc #2,it finished very quickly. I usually blame my very slow telephone connection and don't get too upset when it happens. Of course, no other company's updates have this problem.:)

Posted by: Grandma Linn | August 9, 2006 9:24 PM | Report abuse

I wonder why there have been so many fixes in MS products. Is it due to bad guys? Or due to MS's monopoly-oriented approach? Or due to technical difficulties of launching perfect products?

Posted by: ND | August 10, 2006 2:37 AM | Report abuse

We're having sporadic issues with IE just crashing. One user specifically can always get it to crash by looking up directions on and selecting the "printer friendly" link.

Posted by: Dave | August 10, 2006 1:54 PM | Report abuse

I did the full install on WIN2000. Now my PC takes significantly longer to boot and I.E. keeps crashing on some web sites. The crash is repeatable at the same URL. I removed KB918899, Cumulative security update for Internet Explorer, the crashing stopped, but PC still takes too long to boot.

Posted by: jay | August 10, 2006 7:58 PM | Report abuse

I installed the KB918899 update and it's causing problems for me. IE crashed constantly and I'm unable to read posts on some forums (example - I removed the update and everything works fine now.

Any ideas?

Posted by: J.B. | August 11, 2006 12:26 PM | Report abuse

along with the security patches, I got a notice for an "update" or "upgrade" for the Genius Mouse Mini Traveller

whatever you do, do not download it-- it really put a whammy on this computer and I spent 4hours taring my hair out trying to figure out how to stablize the mouse including going out and buying a ne PS2 mouse rther than USB--forget it.

i downloaded thinking that it would make my life easier as mouse frequently sticks-- but when computer rebooted after downloading this downgrade, the mouse went wild and was doing a tornado dance across the monitor and no matter how many time I shut down and rebooted, I got the flimmers.

when I tried to use PS2, mouse was ignored. finally someone I called said, "try reloading the cd, you have it don't you?"

I loaded cd, but it was not recognized and the flimmering dance went on, so finally I jabbed the panic button and shutdown, when I rebooted, the system detected the cd and reinstalled (apparently) the original software so that when I checked the system updates, I could find no record of the MS downgrade for Genius Mini Traveller Mouse.

unfortunately tech support in Czech Republic is very expensive and that would have cost me a cool 100USD at least to sort it out had I had to pack the computer across the city on my back.

forget MS when it comes to any of their helpful downgrades for other-party software/hardware. spooky experience and definitely not fun. but you can't invoice them, either.

once they sell soemthing it's not their problem-- especially if you happen not to be in the USA.

Posted by: pogomcl | August 11, 2006 1:26 PM | Report abuse

I downloaded the two Office 2000 updates using these links:

Neither would install. I get this mesasge: "Insert the 'Microsoft Office 2000 SR-1' disk and click OK."

Posted by: Mark | August 11, 2006 6:43 PM | Report abuse

For those experiencing problems with the IE update, see this: posted at SANS

Posted by: TJ | August 11, 2006 10:33 PM | Report abuse

After I loaded the updates, I could no longer access the Post--the logo and blue line with the sections in it loaded, and the little windows icon in the upper right revolved endlessly, but no articles/headlines ever loaded. finally got on my son's computer today to see if I could find something out about it here, since I couldn't find anyone else complaining about it on other sites.

Posted by: June | August 24, 2006 12:18 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company