Microsoft Fixes 23 Security Flaws
Microsoft Corp. today released free software updates to fix nearly two dozen security holes in its Windows operating system and Microsoft Office products. At least 17 of the 23 flaws could be exploited by attackers to hijack vulnerable systems or to install malicious code, the company warned.
Dig through the details of the advisories and you will see that instructions showing would-be attackers how to exploit at least nine of the flaws have already been posted online. Microsoft also said it has seen at least three of the flaws being actively exploited in the wild. As usual, updates are available via Microsoft Update (Internet Explorer required) or through automatic updates.
Microsoft typically lists its security advisories each month in the order of most to least severe, and the first flaw detailed in today's patch bundle fixes a problem in the Windows "server service," which facilitates file-sharing among Windows systems that reside on the same network. This highly "wormable" bug is mainly a big deal for businesses, since it is most severe on Windows 2000 systems (most common in corporate environments). Also, many Internet service providers filter file-sharing requests between customers, but file-sharing is almost always turned on inside corporate networks.
The SANS Internet Storm Center, which was credited in part with the discovery of this flaw, reported evidence of it being exploited publicly as early as June 30. According to SANS, Microsoft replied that it was already aware of the flaw at that time. I understand the Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) is set to release more information about this flaw later today. Of course, Security Fix will update this blog in the event that the DHS advisory adds any new wrinkles.
The next most serious advisory details two very dangerous vulnerabilities resident in Windows 2000, Windows XP and Windows Server 2003 that attackers could exploit merely by inducing a user to visit a malicious Web site. Microsoft said these flaws also could be exploited when a user opens a specially crafted e-mail or views one in the e-mail preview pane.
It wouldn't be a Patch Tuesday without a huge rollup for Microsoft's default Web browser. The IE patch fixes a total of eight vulnerabilities, five of which are especially serious -- depending on which version of the browser you're using and which version of Windows. One of the IE glitches, a problem with the way file transfers work, was originally reported to Microsoft in 2004.
Microsoft also fixed three critical vulnerabilities in versions of its Office software, including two that are actively being exploited to break into and steal information from vulnerable computers. One fixes Office 2000, Office XP and Office 2003, as well Microsoft Office and Powerpoint versions for Mac OS X (see the advisory for Mac Office download links). The second update addresses flaws in Office 2000 and XP, as well as Microsoft Project, Visio, Works and Visual Basic (see the advisory for links to those individual products).
Keep in mind that if you are using Office 2000 you will not be able to get those fixes through Microsoft Updates or through automatic updates. Office 2000 users will need to visit Microsoft's Office site and click on the "check for updates" link in the upper right corner of the screen. Office 2000 users who do not have their installation CD handy should be able to install the updates by choosing "no" at the "Do you have your Office product CD?" prompt.
Update, Wednesday, 3:47 p.m. ET: A couple of notes on these patches. While Microsoft has indeed given Office 2000 users a way to patch without having the CD handy, that method failed for me and for others who commented below. As one reader suggested, users who have trouble updating can download the patches manually from the following two links:
Please leave a comment if the manual download/install of the Office updates failed for you. It worked for me.
Also, the Department of Homeland Security issued a press release urging people and businesses not to put off patching the Windows server problem (the first patch I mentioned in the main post above).
The DHS statement reads, in part: "Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users."
DHS apparently is eager to head off another worm like "Zotob" one that surfaced about this time last summer, which exploited a very similar flaw to wreak havoc on the internal networks of several high-profile companies just days after Microsoft released a patch.
August 8, 2006; 3:08 PM ET
Categories: New Patches
Save & Share: Previous: DefCon Delays Can't Stop the Madness
Next: Apple Mac Pro Users Urged to Apply Security Updates
Posted by: S. H. | August 8, 2006 4:14 PM | Report abuse
Posted by: Bk | August 8, 2006 4:26 PM | Report abuse
Posted by: John Johnson | August 8, 2006 4:59 PM | Report abuse
Posted by: Mike Goldhamer | August 8, 2006 5:13 PM | Report abuse
Posted by: malign | August 8, 2006 5:17 PM | Report abuse
Posted by: Mike Goldhamer | August 8, 2006 5:27 PM | Report abuse
Posted by: Powers | August 8, 2006 5:42 PM | Report abuse
Posted by: Matt | August 8, 2006 6:52 PM | Report abuse
Posted by: Rich Gibbs | August 9, 2006 12:20 AM | Report abuse
Posted by: Craig Bury | August 9, 2006 3:34 AM | Report abuse
Posted by: Powers | August 9, 2006 8:24 AM | Report abuse
Posted by: Larry Burk | August 9, 2006 1:22 PM | Report abuse
Posted by: hkl | August 9, 2006 1:55 PM | Report abuse
Posted by: Jim | August 9, 2006 2:09 PM | Report abuse
Posted by: Jim | August 9, 2006 2:10 PM | Report abuse
Posted by: Bk | August 9, 2006 3:32 PM | Report abuse
Posted by: rcjansen | August 9, 2006 5:47 PM | Report abuse
Posted by: Grandma Linn | August 9, 2006 9:24 PM | Report abuse
Posted by: ND | August 10, 2006 2:37 AM | Report abuse
Posted by: Dave | August 10, 2006 1:54 PM | Report abuse
Posted by: jay | August 10, 2006 7:58 PM | Report abuse
Posted by: J.B. | August 11, 2006 12:26 PM | Report abuse
Posted by: pogomcl | August 11, 2006 1:26 PM | Report abuse
Posted by: Mark | August 11, 2006 6:43 PM | Report abuse
Posted by: TJ | August 11, 2006 10:33 PM | Report abuse
Posted by: June | August 24, 2006 12:18 AM | Report abuse
The comments to this entry are closed.