Network News

X My Profile
View More Activity

Microsoft Fixes Record 26 Security Holes

Microsoft today issued a record-breaking number of security updates, fixing at least 26 separate security holes in its Windows operating system and other products, including 16 vulnerabilities in Microsoft Office and Office components.

By my count, this is the largest number of flaws Microsoft has fixed in one go outside of a Service Pack. Among the problems addressed in the ten patch bundles released as part of its monthly patch cycle are four flaws in Office, as well as four security holes each in different versions of Microsoft Word, Excel and PowerPoint (one of the Word flaws is only present in the version made for Apple Macintosh systems).

The biggest problem with these Office flaws -- aside from the fact that at least one of them is actively being exploited in targeted attacks against users -- is that almost without exception they are most serious (or "critical") in the 2000 versions of each software title.

That's a big deal because plenty of people (including the author) still use these older versions, and while users can get patches for recent versions of Office, Word, Excel and PowerPoint from the standard Microsoft patch sites -- such as Windows Update, Microsoft Update and via Automatic Updates -- people running Microsoft Office 2000, or standalone Word, Excel and PowerPoint versions cannot get updates for those products through the same means. Instead, they must add a second stage to their patching by heading over to the Office homepage and letting Office Update scan their machines.

Aside from the huge number of Office bugs, six of today's updates apply to fully patched Windows XP systems. Two of the updates also apply to "Vista," as the next version of Windows will be called, though Microsoft was not specific about where those flaws resided in Vista.

If I had to guess which flaws detailed today exist in Vista, I'd point to vulnerabilities Microsoft fixed in ".NET" -- a Microsoft programming language -- and its process for handling XML files (short for eXtensible Markup Language, XML is used to share data across the Web and over a variety of applications and operating systems).

The .NET flaw doesn't appear to be that big of a deal, but the XML bug is potentially very serious for all Windows operating systems. Microsoft said attackers could exploit this vulnerability to compromise Windows machines just by convincing users to visit a malicious Web site. This flaw could become widely exploited in the near future, as the bad guys begin reverse-engineering Microsoft's patches to zero in on the vulnerable code and create exploits to attack unpatched systems.

Microsoft also patched a flaw in Windows Explorer that criminals have been exploiting to compromise Windows computers over the past few weeks.

If you're a Windows users and don't receive patches via Automatic Update, fire up Internet Explorer and head on over to Microsoft Update and apply these updates. If you're using Windows 2000 or any of the individual Office 2000 components, visit Office Update as well.

By Brian Krebs  |  October 10, 2006; 3:14 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Time's About Up For Windows XP Service Pack 1
Next: For Microsoft, Patch Tuesday Often Becomes Exploit Thursday

Comments

"...fire up Internet Explorer and head on over to Microsoft Update and apply these updates..."

> Maybe not:

- http://blogs.technet.com/msrc/archive/2006/10/10/October-2006-Bulletin-Release.aspx
October 10, 2006
"...Due to some network issues experienced on the Microsoft Update platform, the October security updates released today are not yet currently available via:
* Microsoft Update
* Automatic Updates
* Windows Server Update Services (WSUS)
* Windows Update v6
To be clear, it's a delay due to the networking for these systems: there are no issues with the security updates themselves. Also, this issue doesn't affect customers using Software Update Services (SUS), Windows Update v4 or Office Update. Those of you affected by this delay who want to deploy the updates immediately can go ahead and download and deploy these updates manually by visiting http://www.microsoft.com/technet/security for the list of bulletins released today and then downloading the updates directly from the links in the bulletin..."

.

Posted by: J. Warren | October 10, 2006 4:18 PM | Report abuse

Office update is working, but Microsoft Update and Windows Update are both crashing when you try to load the pages.

One question, are any of the recent vunerabilities used to send forged spam? The last 3 days there has been an explosion of forged spam send out with my domain address.

I have also received an inordinate amount from others with the same content. One thing you can do is to examine the links in the spam. If any kind of affiliate link is used, you can email the provider and have their account shut down.

Posted by: PJ | October 10, 2006 5:15 PM | Report abuse

MS Update crashing is not the issue that I'm having, just the "No updates available for your computer." I love that MS can't even get the patches for its problems done right. The last half-dozen times I've gone to the site on "Patch Tuesday," I've come up empty, sometimes for several days at a time. Clowns.

Posted by: Bob | October 10, 2006 5:24 PM | Report abuse

If you're a Windows user and don't receive patches via Automatic Update, fire up Mozilla's Firefox and head on over to www.ubuntu.com and apply these updates (some may call this downloading an iso). If you're using Windows 2000 or any of the individual Office 2000 components, visit OpenOffice.org as well.

Posted by: Matt | October 10, 2006 5:44 PM | Report abuse

I wish Mr. Krebs would point out just how much more Microsoft needs to do and if possible push them for answers.

Fixing 26 holes is good but that makes me wonder just how many more remain. Finding security holes in six year old programs *now* makes me wonder if Microsoft has a systematic process for finding and fixing *all* holes -- not easy but doable given their resources. I bet the bad guys (and governments) are systematically probing for holes -- to assume otherwise is to put your head in the sand. Most programmers know how easy it is to find bugs compared to fixing them so looks like we will have monthly patches coming in for a long long time. Right now the only safe solution is to keep all valuable data on a machine not attached to the network but this is impractical for most people.

Posted by: Anonymous | October 10, 2006 6:59 PM | Report abuse

I am a Linux user and I recently tried to go back to XP so that my daughter can play video games. However I soon gave up on XP after discovering that my box was infected with a trojan within 10 minutes of connecting to the internet. I decided to wipe my hard drive and reinstall Linux. Even with the patches, keeping an XP machine free of malware is virtually impossible. Make the switch, you will never look back.

Posted by: MB | October 10, 2006 8:54 PM | Report abuse

keep in mind that these holes could have been found a year ago, writing a patch takes a long time and is not as easy as some might think

Posted by: galen | October 10, 2006 9:08 PM | Report abuse

I use Microsoft Internet Explorer on Windows 2000 Professional and have never had any problems with viruses, trojans, etc., even though I do not use any antivirus software and have no firewall. The secret? My normal account (which I always use when surfing) gives me no special privileges -- I can't write to the registry or install software. I have been attacked half a dozen times (mostly when visiting porno sites), but the attack always fails. Occasional checks using virus-detecting software show my system is clean. For me to be attacked succesfully, the attacker would have to be capable of privilege escalation.

To summarize: The single most important thing you can do to prevent infection is to log on with no privileges. You can create a suitable account to this end by logging on just once under the admin account and creating a new account with no privileges. Thereafter, always log on to that account except when you need to install software (from a trusted vendor or site, of course).

Posted by: A. Mason | October 10, 2006 9:53 PM | Report abuse

FYI...

- http://blogs.technet.com/msrc/archive/2006/10/10/October-2006-Bulletin-Release.aspx
October 10, 2006 7:16 PM
"...our teams have resolved the network issues with Microsoft Update. You should start seeing content replicated out to Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS), Windows Update v6."

.

Posted by: J. Warren | October 10, 2006 10:36 PM | Report abuse

Software will always need to be patched, regardless of the vendor. No point in whining about it.

To the Linux user who posted: "I soon gave up on XP after discovering that my box was infected with a trojan within 10 minutes of connecting to the internet."

Must have been running as "administrator" AND not using a good firewall! I thought Linux users were technically savvy to avoid this? Sounds like a setup to slam Windows. By the way, don't rely on just a software firewall either. Get a SOHO hardware unit! The Internet is a dirty place use protection!

Been using Windows for ten plus years, never had an infection of anything. Why is that? Be smart. A computer is a very powerful tool, with that power comes great responsibility!

Posted by: TJ | October 10, 2006 11:06 PM | Report abuse

TJ - stop shelling out your aggrandizing pseudo-tech-support babble. Have you ever tried running Windows on a computer that doesn't have administrator privileges? I did and it lasted for about 30 minutes until I had to install anti-virus software (haha!). Upon a fresh install of Windows XP Home Edition, I was promptly hit prodding by Blaster, messages from Windows Messenger (msmsg), Slammer, and port scans on 4444 and 65.

"Always use a good firewall" is a typical response to people using the internet which is a horrible response to problems that need to be FIXED rather than PATCHED.

Finally, not to be picky: to the author of this article - .NET is not a programming language.

Posted by: Sean | October 10, 2006 11:23 PM | Report abuse

If I had to guess which flaws detailed today exist in Vista, I'd point to vulnerabilities Microsoft fixed in ".NET" -- a Microsoft programming language

Right you clearly have no idea what you are talking about given there is no such this as a ".NET" language. Your editor should seriously be considering your contract if you cant even get the basics right.

Posted by: Anonymous | October 10, 2006 11:48 PM | Report abuse

I don't see why people say windows is so dangerous.. and you somehow get viruses in 10 minutes on the internet. I have been using Windows Xp for the last 5 years without a firewall and have yet to get a virus. Although I did get alot on Windows 98 (probably cause I didn't use as much common sense.. really thats all it takes)

26 patches.. better not have to restart lol

Posted by: Nat | October 11, 2006 1:03 AM | Report abuse

A.Mason says he doesn't have any antivirus software and than says he scans his computer with antivirus software. R U A Dopehead?
Running with a less priviledged account is inconvenient because of the extra log offs and restarts but whatever gets you off.
Firewalls help protect from intrusion through network, but not able to stop viruses from being entered into system. Use antivirus as well, scan files before installation.
As Posted by: Matt | October 10, 2006 05:44 PM, do at least try Ubuntu before knocking Linux. It is 100% free and enjoyable experience. I like Microsoft Windows OS' but I am not stupid enough to only use the first product I ever purchased. Free market allows for stiff competition to force people to create better products or lose market share. Linux is not about increasing costs to users and allows you to tailor applications to suit your needs.
Also, aLinux is another Linux OS I tried and am pleased with. Not so different from XP that you would have to re-learn anything to use.

Posted by: Another Know It All | October 11, 2006 3:59 AM | Report abuse

"Running with a less priviledged account is inconvenient because of the extra log offs and restarts but whatever gets you off."

Use Fast User Switching to run the admin account at the same time. That works well.

Posted by: Bengt Larsson | October 11, 2006 6:33 AM | Report abuse

what ever XP is the best

Posted by: Haroon | October 11, 2006 6:37 AM | Report abuse

4Q Xp my thing!!!!!!

Posted by: Syed | October 11, 2006 7:18 AM | Report abuse

Or, just forget the whole Windows nightmare thing and switch to Macintosh. You can still boot into Windows if you need to for your games or Windows specific apps. Otherwise, remain safe and secure within the Mac OS X operating system.

When was the last time you heard of a virus, hack, trojan horse, or spyware warning for the Mac? I've run my Mac for years 24/7 connected to broadband and never had a problem. And, I don't have one drop of anti-virus, anti-spyware and anti-anything installed.

You do have an alternative and I just wonder why this is not reported along with all the woe in a Windows story.

Posted by: Ken Dykes | October 11, 2006 7:26 AM | Report abuse

"people running Microsoft Office 2000"

Thats me - I run Office 2000. I would love to patch it. I visited the Office patch site and it downloaded some lovely big patches.

Unfortunately I cannot patch it. Every time it runs it wants the original disks. I use a work computer with a corporate license installed from a lan. My computer is a laptop and I live hundreds of miles from the office. When I am there (rarely), I am using my computer and there isn't time to wait around while I load however many service packs and patches. I would like to patch - but with Office 2000 it isn't possible.

Posted by: B. Smith | October 11, 2006 9:39 AM | Report abuse

@Sean,

I've been using Windows as a non-administrator for YEARS! It's not that hard to do. Sure, it's inconvenient and requires some effort to implement, but the benefits are enormous!

Also, if your AV software REQUIRES administrator to run, get rid of it! That's equivalent to a home security system that requires leaving the doors unlocked! There are plenty of good AV programs out there that will run AND update themselves WITHOUT requiring administrator! Administrator should ONLY be needed to install or configure, never to run.

On that note, if ANY software requires you to run as administrator, try to find another product that doesn't. Force software makers to change.

Also, here is some helpful information regarding computer security:

Aaron Margosis' WebLog The easiest way to run as non-admin
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

You Got Served, and You Had No Idea?
http://www.symantec.com/enterprise/security_response/weblog/2006/07/you_got_served_and_had_no_idea.html

Anti-virus vs. Non-Admin
http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx

Posted by: TJ | October 11, 2006 10:25 AM | Report abuse

>Even with the patches, keeping an XP machine free of malware is virtually impossible.<

I bought my XP machine in 2002, and it's still malware-free. All it took, was current security software, and a little common sense.

Posted by: JohnJ | October 11, 2006 10:39 AM | Report abuse

I have just discovered that Microsoft will NOT be providing IE 7 for W2K. This is really disappointing. W2K is an excellent operating system. Why should I be forced to purchase XP and install it, just so I can continue to get the security updates and IE 7.

I have 512 MB RAM on one computer and 1 GB on my laptop. Upgrading to Vista is not in the cards because that would require that I purchase new hardware to get 2-4 GB RAM.

I think that Microsoft should provide updates for W2K.

Posted by: Linda Hewitt | October 11, 2006 12:16 PM | Report abuse

@B Smith,

On the Office Update website, when prompted "Do you have your Office product CD?" choose "No". This will look for larger update files that do not require the installation media.

Posted by: TJ | October 11, 2006 12:17 PM | Report abuse

I kicked Brians tires once when he was dissing MSFT so hard but I think he has backed off dissing and focusses on aid and assistance - smart man.

MSFT is naturally the target of all smart hackers since they are the biggest target in the game.

Posted by: domjr2 | October 11, 2006 2:09 PM | Report abuse

Ok, Linux Guys. Ever tried to get a wireless card to work on a laptop running some flavor of Linux? Recompiling the kernel, etc. That was easy and fun. Try walking your 70 year old parents through the process over the phone.
What if I want to edit some digital videos shot with my camcorder on a Linux box? For the average home user, it's just not practical.

Posted by: Bill G. | October 11, 2006 4:52 PM | Report abuse

Out of the box support for hardware is actually better in Linux than in Windows. Most windows users don't know this because their OS comes preinstalled with all the drivers. Most wireless card makers have so far been reluctant to support Linux. That's their fault, not Linux. In the meantime, Ndiswrapper allows you to use Windows based drivers to run your wireless card in Linux. How cool is that?

Posted by: MB | October 11, 2006 8:24 PM | Report abuse

Bill: "What if I want to edit some digital videos shot with my camcorder on a Linux box?"

Google "open source video editor" and you will find more video editors than you can shake a stick at.

BTW most of the major Hollywood studios use Linux boxes for their special effects editing. Not Macs, not Windows...Linux.

Posted by: MB | October 11, 2006 8:43 PM | Report abuse

I cannot find any indication that the 26 patches released Tuesday fixes the ActiveX (daxctle.ocx) control problem of Internet Explorer.
Microsoft Security Advisory (925444)

According to Sunbelt Software, exploits exist on the internet for this issue.

There is no 925444-specific patch, and no "cumulative Internet Explorer" patch.

Did I miss something?

Posted by: Al | October 12, 2006 1:06 AM | Report abuse

Al -- No you are not mistaken. For whatever reason, Microsoft's patches do not appear to have addressed this problem in this month's release.

Posted by: Bk | October 13, 2006 12:37 AM | Report abuse

This may lend some light to the unpatched IE vulnerability (daxctle.ocx) Active X:

http://www.viruslist.com/en/news?id=201631394

"Microsoft was planning to release a total of eleven patches, but one of them did not pass quality control testing and was held back."

Hopefully, MS will expedite the daxctle patch once it does pass their QC process - if indeed that's the one that was held back.

Posted by: Al | October 13, 2006 1:19 AM | Report abuse

@MB
>>However I soon gave up on XP after discovering that my box was infected with a trojan within 10 minutes of connecting to the internet.

As a Linux user, did it ever occur to you to connect for the first time, run the command 'netstat -an' in a command window, then disconnect (total connection time = 15 seconds max) and see which network ports were open?
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

>>Even with the patches, keeping an XP machine free of malware is virtually impossible.

I beg to differ; but keeping XP malware-free is just not easy for most users, which is why IMCO Microsoft should 'bite the bullet' and ship XP (and soon Vista) secured by default.

@Sean
>>Upon a fresh install of Windows XP Home Edition, I was promptly hit prodding by Blaster, messages from Windows Messenger (msmsg), Slammer, and port scans on 4444 and 65.

For "Slammer" ITYM "Sasser" the port-445 worm.

If you were getting messages through Windows Messenger, check to see that the Messenger service is disabled.

@Ken Dykes
>>When was the last time you heard of a virus, hack, trojan horse, or spyware warning for the Mac?

Would you settle for a still-unfixed vulnerability?
http://apple.slashdot.org/comments.pl?sid=185685&cid=15326458

Posted by: Mark Odell | October 14, 2006 4:24 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company