Critical Vista Flaw Leads Patch Tuesday Lineup
Update, April 11, 12:06 p.m.: An earlier version of this post incorrectly stated that Microsoft had re-issued a patch that it originally released on Tuesday, Apr. 3. The text below has been changed.
Microsoft Corp. today issued a bundle of software updates to fix at least eight security flaws in its software, including a patch that plugs another dangerous vulnerability in Windows Vista. The free updates are available either from the Microsoft Update Web site or by turning on automatic updates.
This is the second time in a week that the company has shipped a patch to address a "critical" flaw in Vista. Microsoft labels security holes "critical" if they could be exploited by attackers to gain complete control over a vulnerable system through no action on the part of the victim. Last Tuesday, Microsoft pushed out an emergency fix to correct a bug in Vista and Windows XP that hackers have been actively exploiting to attack Windows users.
Security experts were quick to seize upon the Vista flaw as a harbinger of things to come. Amol Sarwate, manager of vulnerability research for security software vendor Qualys, said the most-recent Vista hole to be documented is merely "the beginning of the weaknesses that we will see this year with Vista" and that Microsoft's reuse of code from previous versions of Windows threatens to weaken Microsoft's much-vaunted work on building security into its flagship operating system.
The Vista vulnerability (also present in XP systems) resides in a component of Windows that processes system error messages. The real danger that this flaw presents at the moment is that software blueprints showing would-be attackers exactly how to use the vulnerability to hijack vulnerable systems has been available online since December. No doubt more robust versions of that exploit code will appear in the coming days and weeks.
Eric Schultze, chief security architect for Minneapolis based patch management company Shavlik Technologies, said the vulnerability that affects Vista is due to computer code carried over from Windows NT 4.0, a legacy version of Windows that predates even Windows 98.
"Microsoft has patched this particular component multiple times before," Schultze said. Given that Microsoft did not have time to do a wholesale re-write of Windows with Vista, "we're bound to see 10-15 more of these legacy vulnerabilities in Vista in this year alone," he said.
Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, which tracks hacking trends, said two of the eight vulnerabilities fixed by this most recent patch bundle look like they could be easily exploited by computer worms able to spread to vulnerable machines and Internet servers without any user interaction.
One final note: An emergency patch that Microsoft pushed out on Apr. 3 appears to be causing problems for some people (including my poor stepmother) every time they go online. Microsoft has acknowledged that this patch can interfere with certain commonly installed hardware components, and if you're seeing an intermittent message complaining about "illegal System DLL Relocation" and/or a buggy file called "user32.dll," you're one of the unlucky few. The company has a fix available for anyone experiencing this problem. You can download and install it from this link.
April 10, 2007; 4:57 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Research Suggests Weakness in Anti-Phishing Technology
Next: Uncle Sam Earns "C-Minus" in Computer Security
The comments to this entry are closed.