Network News

X My Profile
View More Activity

Patch Tuesday Plugs 19 Microsoft Security Holes

Microsoft today issued software updates to plug at least 19 separate security holes in its Windows operating system and other software, including two vulnerabilities that criminals are actively exploiting to take control of Windows PCs. Windows users can install the free updates through the Microsoft Update Web site or via Automatic Updates.

All seven of the patch bundles released today earned "critical" labels, Microsoft's most severe. Critical vulnerabilities are those that provide criminals the ability to gain control over vulnerable machines remotely, the kind that are usually exploitable just by convincing a user to visit a malicious Web site or open a specially crafted e-mail.

Seven of the critical flaws patched today reside in various versions of Microsoft Office products, including one vulnerability in Microsoft Word that bad guys are actively using. The vulnerabilities are present in most versions of Office, including some found in versions of Office designed for use on Mac OS X systems.

The company also issued its first patch for Office 2007. This is significant because Office 2007 was the first product to go through the company's much-touted "security development lifecycle" from inception to market, a process that was designed to reduce the number of vulnerabilities.

Users who have Office 2000 installed will need to visit Microsoft's Office Update site in order to download the Office patches released today. Depending on which installation option you choose, Office 2000 users may also be asked to insert the original Office installation CD during the process.

It would hardly be Patch Tuesday without security updates for Microsoft's Internet Explorer Web browser, and today's patch batch does not disappoint, fixing six critical IE flaws. The IE bundle also corrects vulnerabilities found in IE5 through IE7, as well as IE7 as installed on Windows Vista systems.

As expected, Microsoft pushed out a patch to plug a vulnerability in Windows 2000 Server and Windows Server 2003 systems running the DNS Server Service. Criminal hackers have been exploiting this flaw for the past month to compromise vulnerable systems. Another update mends four separate vulnerabilities in Microsoft Exchange, the company's e-mail server software.

The types of security holes addressed in this month's patches are a good marker for where the bad guys are currently focusing their attention, said Oliver Friedrichs, director of Symantec Security Response.

"We've seen a fairly significant trend toward attacks against desktop applications -- the browsers, Microsoft Word and Excel -- for example," Friedrichs said. "As witnessed by this release, there is no shortage of vulnerabilities to be found in these desktop apps."

By Brian Krebs  |  May 8, 2007; 3:49 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: AOL's Password Puzzler
Next: The Politics of Identity Theft


Ugh. In addition to Windows Update and Automatic Updates, we now have Microsoft Updates. Can you explain it? I am loathe to let it do what it wants.

Posted by: A | May 9, 2007 7:01 AM | Report abuse

Anyone know if security problems can be caused by having an old copy of Office 97 on an XP machine? I don't open email with it, but wonder if a malformed web site might zap it just by visiting the web site.

Posted by: Office Question | May 9, 2007 8:06 AM | Report abuse

Microsoft Update is a replacement for Windows Update. It'll look for updates for all MS products as opposed to Windows only.

Posted by: dgc | May 9, 2007 8:18 AM | Report abuse

Well The IE7 security update for Vista (KB931768) has rendered IE7 unusable. Opening IE just results in a box where ieframe.dll wants to download navcncl. I suppose if you can't use it it is more secure! The system scans clean for malware so I have doubts about the patch.

Posted by: Steve | May 9, 2007 10:29 AM | Report abuse

I loaded the update today (5/9/7) using my automatic update function. I run Office 2003 and Windows XP and loaded everything except the update to the Explorer filter (since I never use Explorer or filters). Functions that worked yesterday no longer work today. Compare and merge documents freezes. Links to Microsoft and Windows update freeze. Of course, it's going to cost me $50 to talk to someone at MS about their problem (now my problem)!

Posted by: Sally Snyder | May 9, 2007 11:47 AM | Report abuse

Be aware that the IE7 update also includes hotfixes for Outlook. We have experienced hang ups in Outlook with HTML messages. Uninstall the IE7 update, and it works like a charm.

Posted by: sue | May 9, 2007 12:27 PM | Report abuse

Microsoft Updates?

On my computer I can get Microsoft Update Home to display "Select by Type" and "Select by Product" to get the system AND Office updates. I can't figure out how to do this with the other office computers, which have been apparently missing the critical Office updates. I tried looking for them in Add/Remove Programs, but no luck. Is there a way to select these items under the Microsoft Update Home?

Posted by: umm.huh | May 9, 2007 4:06 PM | Report abuse

Note the phrase '...including two vulnerabilities that criminals are actively exploiting..." and compare this to OS X vulnerabilties which seem to always have been discovered by researchers and, even if patched weeks later by Apple, are never reported to have actually affected users.

Posted by: garyg | May 9, 2007 4:12 PM | Report abuse

For those that have problems with Microsoft Update or with things breaking after the updates have run, please call Microsoft Product Support Services at 1-866-PCSAFETY. Explain your problem to them. They will give you a support ID. (There is no charge for this service if it is related to the Security Updates from Microsoft.)

Posted by: TJ | May 9, 2007 8:12 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company