Microsoft Plugs Ten Security Holes
Microsoft Corp. today issued free software updates to plug at least 10 security holes in its Windows operating system and other software. Windows users can download the patches directly from Microsoft Update or by using the Windows Automatic Updates feature.
Probably the most important patch in the January batch is a fix for a Windows flaw that Microsoft said is being actively exploited by bad guys, who can use it to break into vulnerable computers just by tricking a Windows user into merely visiting a malicious Web site or opening a specially crafted e-mail. The bug, resident in Microsoft's implementation of a computer graphics rendering language known as "VML," exists in fully patched Windows XP computers and is similar in nature to a flaw that forced the company to issue an emergency update last fall outside of its normal second-Tuesday-of-the-month patch cycle. In fact, according to data compiled by Security Fix, Microsoft devised a patch for last September's VML flaw just eight days after it became clear bad guys were exploiting it.
In addition to the VML patch, Microsoft today pushed out three updates to fix problems in its Office suite.
Last week, Microsoft said it planned to issue at least eight patches to fix an unspecified number of security flaws, but over the weekend the company revised that number to four without explanation. Unaddressed by this month's batch patch are two flaws in Microsoft Word that bad guys are actively exploiting, and a third Word flaw for which instructions showing criminals how to exploit have been published online.
While Microsoft's next version of its operating system -- Windows Vista -- technically doesn't hit retail stores until Jan. 30, security researchers have already uncovered a set of fairly serious security holes that could expose customers to attacks. Last week, instructions for taking advantage of a Vista flaw to potentially seize control over computers running the new software were published online. Microsoft said it also was investigating rumors that this exploit was previously offered for sale in the hacker underground.
Microsoft has spent a great deal of time and effort making security a front-and-center concern in the development of Vista, even going so far as to consult with hacker teams at the National Security Agency to harden the operating system. In a note that accompanied today's patch release, Microsoft said it "developed Windows Vista with the highest attention to security; however, it is important to note that no software is 100% secure. Windows Vista is not a silver bullet- security issues will continue even with more secure operating systems, because the threat bar will continue to be raised and hackers will become more aggressive and that is why Microsoft is taking a defense in depth approach to helping protect users from malware."
One final note: Today's patches fix at least nine vulnerabilities in different versions of Office, but they are most serious for users of Office 2000. While users of newer versions of Office can also get Office updates from the Microsoft Update site, Office 2000 users will need to fire up Internet Explorer and pay a visit to the Office Update site and let the site scan their system for any missing patches.
January 9, 2007; 1:58 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Scary Blogspam Automation Tools
Next: A Warning to Windows Users on Acer Laptops
Posted by: Steve Mullen | January 9, 2007 2:23 PM | Report abuse
Posted by: Bk | January 9, 2007 2:38 PM | Report abuse
Posted by: Steve Mullen | January 9, 2007 2:38 PM | Report abuse
Posted by: Alexander | January 9, 2007 2:39 PM | Report abuse
Posted by: Superfreak | January 9, 2007 5:34 PM | Report abuse
Posted by: Superfreak | January 15, 2007 1:33 PM | Report abuse
Posted by: mvsodjgt kahl | January 17, 2007 1:47 AM | Report abuse
Posted by: swdp dtqrmlwc | January 17, 2007 1:48 AM | Report abuse
Posted by: kvfzxmw ojnxdypc | January 17, 2007 1:49 AM | Report abuse
The comments to this entry are closed.