Network News

X My Profile
View More Activity

Microsoft Fixes 14 Software Security Flaws

Microsoft today released software updates to plug at least 14 security holes in computers powered by different versions of its Windows operating system and other software. The updates are available from the Microsoft Update Web site or via Automatic Updates.

Windows XP users can expect to install at least six updates from today's patch batch, and more if they have any version of Microsoft Office installed. Office 2000 users will need to make a separate trip over to the Office Update site to scan for and download additional fixes not offered via Microsoft Updates.

Included in this month's Patch Tuesday lineup are several fixes for bugs in Internet Explorer. Specifically, Microsoft plugged at least three vulnerabilities in IE that could allow nasty Web sites to install software just by convincing users to come by for a visit. But the company notes that protections built into IE7 would force those users to approve the launching of another system component before attackers could exploit the flaws.

Two other vulnerabilities deserve special attention. Microsoft orders its patches sequentially (MS07-001, MS07-002, etc), and typically the lowest numbered patch in any monthly release cycle fixes the flaw(s) that Microsoft considers to be the most dangerous or widespread. August's first update corrects a problem in XML Core Services, a Windows component tied closely to Internet Explorer that helps render certain types of Web-based documents. This one is yet another vulnerability that could be exploited merely by tricking IE users into visiting a malicious or hacked Web site.

Microsoft also fixed a critical flaw in a fundamental Windows component called "vector markup language" (VML), an XML Web programming language used to create scalable graphics. Microsoft fixed a vulnerability in this same area last September, a short while after organized criminals began exploiting that flaw to silently install keystroke-logging programs on an untold numbers of IE users' PCs.

Five of the flaws fixed today are present in Windows Vista, two reside in Internet Explorer 7, and another applies to Office 2007. All three software packages went through rigorous code reviews to root out security holes before the products went live. But this latest update cycle shows again that no software is without flaws, and that Microsoft will probably continue patching vulnerabilities in these systems for some time.

One of the Vista flaws involves an interesting vulnerability in the Feed Headlines Gadget, a component on the Vista desktop that handles really simple syndication (RSS) feeds. RSS is a format designed to provide real-time content updates from blogs and news sites (Security Fix's RSS feed is here, by the way). If a Vista user somehow subscribed to a poisoned RSS feed or clicked on a poisoned hyperlink in a desktop feed, an attacker could potentially compromise the system, Microsoft said.

By Brian Krebs  |  August 14, 2007; 2:01 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Security Fix Pop Quiz, Summer 2007 Edition
Next: A Heads-Up For Yahoo! Messenger Users


Thanks for the notice. Keep up the great work.

Posted by: Jim | August 14, 2007 4:55 PM | Report abuse

Some readers may, as I do, downlaod these updates from the Microsoft Download Center. (I do it that way because I have several machines to update.)

At the memoent, MS seems to have a problem with broken links for some (but not all) of the updates. (They're critical ones, natch.)

This month, I proceeded as usual, and successfully downloaded the following updates:

Security Bulletin / KB Number
MS07-045 / 937143
MS07-050 / 938127

However, I was _unable_ to download the following updates:

Security Bulletin / KB Number
MS07-043 / 921503
MS07-046 / 938829

Here is what happens:

1. I click on the link from monthly summary page
2. I get to the download detail page for the update in question, which has a URL like:

3. I click the "Download" button.
4. I next get, momentarily, a "Thank you for downloading" page.
5. Then I get an error page "The page cannot be found" (HTTP error 404).

I spent a frustrating hour on the phone with MS Windows support this afternoon, and have also e-mailed them with the details, but I have had no substantive response yet.

Posted by: Rich Gibbs | August 14, 2007 4:59 PM | Report abuse

What a hassle.

Posted by: Rick | August 14, 2007 6:09 PM | Report abuse

"What a hassle."

Ha ha, so is car maintenance. I'd rather not break down on the side of the road, thank you!

It's not a direct analogy, but treat your computer like a car and take care of it, of which patching is a very important part!

Then again, a lot of people don't care about their car either. :(

Posted by: TJ | August 14, 2007 7:40 PM | Report abuse

Although I still haven't received any substantive response from Microsoft, the download problem that I mentioned in my earlier post appears to have been fixed. I have just recently (ca. 11PM) re-tried the problematic downloads, and have now done them successfully.

From the symptoms I was seeing, my guess is that someone just goofed in setting up the links for the new patches, and the goof is now corrected. I just wish reporting problems like this was not such an ordeal.

Posted by: Rich Gibbs | August 14, 2007 11:48 PM | Report abuse

Imagine what an ordeal it was for the 375 members of Redmond's broken link action committee.

Posted by: Robert | August 15, 2007 7:45 AM | Report abuse

Last week, you mentioned that Microsoft had an update for Office for Mac OS X. However, I had trouble finding anything about this on the Microsoft site. How can I find that update? Thanks.

Posted by: College Park | August 15, 2007 10:34 AM | Report abuse

I downloaded those 6 critical updates last night and after my XP Home Edition rebooted my FIOS internet went from the normal 14-15 MBS down to 2-3. I go out to a website to test my upload and download speed, checking it daily. Does anyone know what or why a critical update would cause this. I recently installed the newest McAfee security program from AOL and that didn't cause any FIOS internet speed issues. Any thoughts.

Posted by: Stuart | August 15, 2007 11:08 AM | Report abuse

Stuart> I downloaded those 6 critical updates last night and after my XP Home Edition rebooted my FIOS internet went from the normal 14-15 MBS down to 2-3.

Note that Verizon is currently performing a lot of upgrades to their TV equipment in the D.C. area. (They screwed me royally by deleting about 50 hours of saved programming off my DVR last night; I'm extremely pissed off about that and I no longer recommend Verizon FIOS TV service.) At any rate, it's possible that the software distribution and other attendant configuration nonsense may be coicidentally responsible for the change you saw in your Internet bandwidth.

Posted by: antibozo | August 15, 2007 1:58 PM | Report abuse

"What a hassle."

'Ha ha, so is car maintenance.'

Ha ha, no it's not. What nonsense. It's more the car you're driving and the nut behind the wheel. I don't have to do any of that. Never. Read that again. Equating the hassle of Windows with auto maintenance - what dismissive nonsense.

Posted by: Rick | August 15, 2007 4:27 PM | Report abuse

As I mentioned in an earlier post, my initial problem in downloading two of these updates was fixed. However, I encountered another problem with one update, and wanted to pass along the solution in case anyone else encounters it.

The problem was with the update for MS07-042, which addresses a vulnerability in MS-XML Core Services 4. I downloaded the update from the MS Download Center, a file called 'msxml4-KB936181-enu.exe'. Somewhat unusually, this is the update for both Windows XP and Vista. It installed without a hitch on XP; However, when I tried to install this file on Windows Vista (Home Premium), I got the following error message:

Error opening installation log file. Verify that the specified log file location exists and is writable.

This error message is singularly unhelpful, since it gives no information on what the "specified log file location" is.

It appears that the problem is that some other process has the file (whatever it is) open or locked. The solution that worked for me was:

1. From the START menu, select RUN, and enter 'msconfig'; hit ENTER or press OK.

2. The System Configuration utility starts, positioned on the "General" tab. Click the radio button for "Selective startup".

3. Select the "Startup" tab, click "Disable all", then click "Apply".

4. Select the "Services" tab, click "Hide all Microsoft services", then click "Disable all", then click "OK".

5. Reboot the machine when asked.

When I did this, and tried running the update again, it worked fine. Don't forget to run 'msconfig' again when you're done, to go back to "Normal Startup" (on the "General" tab).

(Thanks to Rosemary at MS for her help with this!)

Posted by: Rich Gibbs | August 17, 2007 4:44 PM | Report abuse

I use Microsoft XP for two years and I'm completely satisfied.

Posted by: Sally, software developer | August 28, 2007 6:39 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company