Network News

X My Profile
View More Activity

Microsoft's Monthly Patch Release Plugs 11 Security Holes

Microsoft Corp. today released software updates to fix at least 11 security holes in various versions of its Windows operating system and other products. Windows users can download the free updates manually from Microsoft Update or via Automatic Updates.

This month's patch batch includes an unscheduled update to remedy two vulnerabilities in Windows Media Player that criminals could use to install software on Windows PCs just by convincing users to open a specially crafted Windows Media Player file. Microsoft added this update at the last minute, not long after "proof-of-concept" code demonstrating how to exploit the flaw was posted online.

Another update fixes four separate security holes in Internet Explorer that an attacker could use to break into or steal data from affected PCs just by coaxing the user into visiting a Web site or opening an e-mail designed to take advantage of the flaw. The IE patch doesn't apply to IE 7, however. While there were several reports of vulnerabilities in IE 7 in the past month, Microsoft says it is still investigating these and that it might yet tackle them in future patches.

Today's patch bundle includes a fix to a dangerous hole in Microsoft Visual Studio 2005 that online scam artists already are using to compromise vulnerable machines. Visual Studio 2005 is not installed by default on any flavor of Windows, but if you do have this program installed on your computer, Microsoft Update should detect it and supply the needed patch.

None of the updates released today address problems in Microsoft Word that bad guys also are exploiting. On Dec. 5, Microsoft said it was aware of a serious security hole in just about every version of Word the company produced. Then over this past weekend, the company warned of yet another unpatched Word flaw that is currently being exploited. With all of the critical flaws patched in Office this year (so far 33 -- or more than a third of all critical updates Microsoft released in 2006), this is (oddly enough) the second month in row in which Microsoft has not issued an Office patch.

I could spend a lot of time here offering advice about more secure software packages, or not opening e-mail attachments from unknown senders etc. But the people who really need to heed that advice rarely seem to listen anyway.

For most users, the best advice I can give (and will continue to give) is to set up your PC to run under a limited user account. I should note here, however, that if you are already browsing the Web under a limited user account, you may need to temporarily switch over to an administrator account to install patches through Windows or Microsoft Update. Automatic updates should work whether or not the user is running Windows under a limited or administrator account.

By Brian Krebs  |  December 12, 2006; 1:57 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Phishing Scams Soared in October
Next: Microsoft Tweaks Windows XP Wireless Security

Comments

"I could spend a lot of time here offering advice about [...] not opening e-mail attachments from unknown senders etc."

Actually, given malware that harvests addresses and forges the From: line, better advice is "don't open e-mail attachments *you weren't expecting* *even from known* senders".

Posted by: Brent Nordquist | December 12, 2006 2:12 PM | Report abuse

Yes, of course you are right Brent. Microsoft recently added that bit of caution to its advisories, saying that users should be suspicious even of unexpected attachments in emails from known senders.

Posted by: Bk | December 12, 2006 2:41 PM | Report abuse

After browsing the release information on these patches, something jumped out at me:

Newer products such as Internet Explorer 7, Media Player 11, and Windows Vista are not impacted.

Either they are more secure (should be) or haven't been out long enough to find vulnerabilities. Interesting either way.

May be Microsoft's Trustworthy Computing is paying dividends.

BTW, great advice to run as a "Limited" user, best defense against malware!

Posted by: Tim | December 12, 2006 5:11 PM | Report abuse

Actually, even if you have Media Player 11, you'll probably still download the Media Player fix. It affects Media Player 6.4 which I discovered is still in the Media Player directory as mplayer2.exe

Posted by: tallbear | December 13, 2006 11:02 AM | Report abuse

Brent Nordquist> Actually, given malware that harvests addresses and forges the From: line, better advice is "don't open e-mail attachments *you weren't expecting* *even from known* senders".

Corollary advice: don't send in an attachment that which is equivalent or even superior as the body of the message. Too often I receive Word documents from others that, upon being opened, turn out to be just text, often badly formatted. This could just as easily be badly formatted plain text or HTML, so why do people bother to compose it in Word and send it as an attachment when they could have simply typed it directly in the email client? Had they done so, the message would be readable right there in my email client, and as a side benefit, I wouldn't have to worry that it's laden with malware.

I use OpenOffice anyway, so it's less likely that a Word vector will affect me, but receiving an unnecessary Word/Powerpoint/PDF/etc. document always lowers my estimation of the sender's intelligence. Worse, it trains people to open these emailed documents all the time, and that's why we have this problem.

Posted by: antibozo | December 13, 2006 12:57 PM | Report abuse

"Actually, even if you have Media Player 11, you'll probably still download the Media Player fix. It affects Media Player 6.4 which I discovered is still in the Media Player directory as mplayer2.exe"

Per the FAQ portion of the Microsoft Bulletin:

http://www.microsoft.com/technet/security/Bulletin/MS06-078.mspx

"I have installed Windows Media Player 11 on my computer. Why am I being offered the Windows Media Player 6.4 security update?
While Windows Media Player 11 is not vulnerable, Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition will still have Windows Media Player 6.4 installed on the system for backwards compatibility."

Posted by: Tim | December 13, 2006 1:32 PM | Report abuse

Re: "if you are already browsing the Web under a limited user account, you may need to temporarily switch over to an administrator account to install patches through Windows or Microsoft Update."

I've been running XP using a limited user account for daily operations for two years. I find that automatic update does not operate reliably for me in this case. I have found that the only reliable course is: 1) reboot (not just log off); 2) login in as admin; 3) install updates using Microsoft Update; 4) reboot.

Do not succumb to the temptation to use runas to do installation tasks (such as running Microsoft Update) that require elevated privilege; I've found that this causes problems, particularly with registry permissions, probably because it's not a use-case that is widely tested by application providers (or Microsoft).

Posted by: Terry Moore | December 13, 2006 2:13 PM | Report abuse

I took Microsoft's advice and installed the patches. IE7 also installed. Now when I click the IE icon, the IE window flashes on and then disappears permanently. My only recourse is to use my Firefox browser, which I installed as a precaution the last time I had IE failure.

Posted by: John Brooks | December 14, 2006 9:02 PM | Report abuse

The basic problem with Microsoft is that its's right hand does not know what it's left hand is doing. The organization is grown too big for it's breaches and become too Bureaucratic within it's own structure.It is creating problems within the organization, that it cannot fix as a result the comsumer suffers. For example, any windows XP customer that insatlled that software with a special issued key, that is also registered with MS should not have to go through this so called validation, every time when down loading. MSN Explorer, Internet Explorer and MS Product Unites within the Company are not interconnected or understand what is happening out there as far as the consumer is concerned. Now doubt for its international market, it needs to outsource services, but US clients have a very difficult time communicating with technicians in Asia, South America and even in Canada.

Posted by: Mohinder L. Jerath | December 15, 2006 7:52 AM | Report abuse

Buona fortuna con il vostro luogo. E abbastanza nice=)

Posted by: musica gratis | December 21, 2006 1:31 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company