Microsoft's Monthly Patch Release Plugs 11 Security Holes
Microsoft Corp. today released software updates to fix at least 11 security holes in various versions of its Windows operating system and other products. Windows users can download the free updates manually from Microsoft Update or via Automatic Updates.
This month's patch batch includes an unscheduled update to remedy two vulnerabilities in Windows Media Player that criminals could use to install software on Windows PCs just by convincing users to open a specially crafted Windows Media Player file. Microsoft added this update at the last minute, not long after "proof-of-concept" code demonstrating how to exploit the flaw was posted online.
Another update fixes four separate security holes in Internet Explorer that an attacker could use to break into or steal data from affected PCs just by coaxing the user into visiting a Web site or opening an e-mail designed to take advantage of the flaw. The IE patch doesn't apply to IE 7, however. While there were several reports of vulnerabilities in IE 7 in the past month, Microsoft says it is still investigating these and that it might yet tackle them in future patches.
Today's patch bundle includes a fix to a dangerous hole in Microsoft Visual Studio 2005 that online scam artists already are using to compromise vulnerable machines. Visual Studio 2005 is not installed by default on any flavor of Windows, but if you do have this program installed on your computer, Microsoft Update should detect it and supply the needed patch.
None of the updates released today address problems in Microsoft Word that bad guys also are exploiting. On Dec. 5, Microsoft said it was aware of a serious security hole in just about every version of Word the company produced. Then over this past weekend, the company warned of yet another unpatched Word flaw that is currently being exploited. With all of the critical flaws patched in Office this year (so far 33 -- or more than a third of all critical updates Microsoft released in 2006), this is (oddly enough) the second month in row in which Microsoft has not issued an Office patch.
I could spend a lot of time here offering advice about more secure software packages, or not opening e-mail attachments from unknown senders etc. But the people who really need to heed that advice rarely seem to listen anyway.
For most users, the best advice I can give (and will continue to give) is to set up your PC to run under a limited user account. I should note here, however, that if you are already browsing the Web under a limited user account, you may need to temporarily switch over to an administrator account to install patches through Windows or Microsoft Update. Automatic updates should work whether or not the user is running Windows under a limited or administrator account.
December 12, 2006; 1:57 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Phishing Scams Soared in October
Next: Microsoft Tweaks Windows XP Wireless Security
Posted by: Brent Nordquist | December 12, 2006 2:12 PM | Report abuse
Posted by: Bk | December 12, 2006 2:41 PM | Report abuse
Posted by: Tim | December 12, 2006 5:11 PM | Report abuse
Posted by: tallbear | December 13, 2006 11:02 AM | Report abuse
Posted by: antibozo | December 13, 2006 12:57 PM | Report abuse
Posted by: Tim | December 13, 2006 1:32 PM | Report abuse
Posted by: Terry Moore | December 13, 2006 2:13 PM | Report abuse
Posted by: John Brooks | December 14, 2006 9:02 PM | Report abuse
Posted by: Mohinder L. Jerath | December 15, 2006 7:52 AM | Report abuse
Posted by: musica gratis | December 21, 2006 1:31 AM | Report abuse
The comments to this entry are closed.