Microsoft Patches 9 Security Holes
Microsoft Corp. today issued patches to mend at least nine separate vulnerabilities in its Windows operating systems and other software, including three security holes that criminal hackers already are exploiting. As always, users can download and install the patches via Microsoft Update or through the company's Automatic Updates service.
The new patches fix at least three vulnerabilities in Internet Explorer that hackers could use to install malicious software just by getting victims to visit a specially crafted Web site. One of the IE problems also is exploitable if a recipient merely views a tainted HTML message in an e-mail preview pane. Microsoft said the IE flaws are far less of a problem on Windows Server 2003 systems and for users of IE7, as the default security settings on those systems won't allow exploitation of the flaws.
While it doesn't address a vulnerability in IE specifically, a separate patch issued today corrects a flaw in the Windows "Microsoft Agent" service that also could be exploited just by convincing someone to visit a site that takes advantage of the security hole.
Another update fixes serious flaws in Adobe's Macromedia Flash Player, a component bundled with Windows XP systems. Adobe issued an update in September to fix this flaw, and provides more detail in its own writeup, which covers five separate Flash vulnerabilities. It is not unheard of for sites to try and use Flash vulnerabilities to install malicious programs, so don't ignore this important update.
Microsoft also fixed a critical bug present in the "workstation service" on Windows XP and Windows 2000. This bug is less of a problem for home users (assuming they have a firewall running) and more of a concern for businesses, as it would most likely be exploited once the attacker already has access to the company's internal network.
Also addressed in this month's patch batch are two critical flaws -- one in Microsoft's "XML Core Services" and the other in the "Client Service for Netware" -- neither of which are installed by default on Windows machines.
Finally, a note about the wireless device driver flaw that I wrote about this past weekend. I said I'd circle back if more vendors released updates, and it turns out that HP issued a patch in October to fix this flaw. HP users should be able to install this patch by visiting Microsoft Update, letting it scan, and then selecting the "Hardware/Optional" option at the left hand side of the screen. This worked on my HP laptop, and there may be updates for this flaw from other affected PC makers (Dell and Gateway come to mind).
I think it's great that Microsoft is offering Microsoft Update as a distribution mechanism for serious flaws in the PCs made by third parties, but most people probably would not know to check that portion of Microsoft Update, and I can't recall ever seeing any alerts from HP about this important patch.
November 14, 2006; 3:00 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Report: Firefox 2.0 Trumps IE7 In Phish-Fighting
Next: Guidance Software Settles With FTC Over Data Compromise
Posted by: GTexas | November 14, 2006 3:59 PM | Report abuse
Posted by: GW | November 14, 2006 7:58 PM | Report abuse
Posted by: SG | November 15, 2006 8:53 AM | Report abuse
Posted by: J. Warren | November 15, 2006 11:37 AM | Report abuse
Posted by: J. Rock | November 15, 2006 1:08 PM | Report abuse
Posted by: Frank C | November 17, 2006 4:53 PM | Report abuse
Posted by: Mary | November 28, 2006 11:26 AM | Report abuse
The comments to this entry are closed.