Microsoft Fixes 14 Software Security Flaws
Microsoft today released software updates to plug at least 14 security holes in computers powered by different versions of its Windows operating system and other software. The updates are available from the Microsoft Update Web site or via Automatic Updates.
Windows XP users can expect to install at least six updates from today's patch batch, and more if they have any version of Microsoft Office installed. Office 2000 users will need to make a separate trip over to the Office Update site to scan for and download additional fixes not offered via Microsoft Updates.
Included in this month's Patch Tuesday lineup are several fixes for bugs in Internet Explorer. Specifically, Microsoft plugged at least three vulnerabilities in IE that could allow nasty Web sites to install software just by convincing users to come by for a visit. But the company notes that protections built into IE7 would force those users to approve the launching of another system component before attackers could exploit the flaws.
Two other vulnerabilities deserve special attention. Microsoft orders its patches sequentially (MS07-001, MS07-002, etc), and typically the lowest numbered patch in any monthly release cycle fixes the flaw(s) that Microsoft considers to be the most dangerous or widespread. August's first update corrects a problem in XML Core Services, a Windows component tied closely to Internet Explorer that helps render certain types of Web-based documents. This one is yet another vulnerability that could be exploited merely by tricking IE users into visiting a malicious or hacked Web site.
Microsoft also fixed a critical flaw in a fundamental Windows component called "vector markup language" (VML), an XML Web programming language used to create scalable graphics. Microsoft fixed a vulnerability in this same area last September, a short while after organized criminals began exploiting that flaw to silently install keystroke-logging programs on an untold numbers of IE users' PCs.
Five of the flaws fixed today are present in Windows Vista, two reside in Internet Explorer 7, and another applies to Office 2007. All three software packages went through rigorous code reviews to root out security holes before the products went live. But this latest update cycle shows again that no software is without flaws, and that Microsoft will probably continue patching vulnerabilities in these systems for some time.
One of the Vista flaws involves an interesting vulnerability in the Feed Headlines Gadget, a component on the Vista desktop that handles really simple syndication (RSS) feeds. RSS is a format designed to provide real-time content updates from blogs and news sites (Security Fix's RSS feed is here, by the way). If a Vista user somehow subscribed to a poisoned RSS feed or clicked on a poisoned hyperlink in a desktop feed, an attacker could potentially compromise the system, Microsoft said.
August 14, 2007; 2:01 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Security Fix Pop Quiz, Summer 2007 Edition
Next: A Heads-Up For Yahoo! Messenger Users
Posted by: Jim | August 14, 2007 4:55 PM | Report abuse
Posted by: Rich Gibbs | August 14, 2007 4:59 PM | Report abuse
Posted by: Rick | August 14, 2007 6:09 PM | Report abuse
Posted by: TJ | August 14, 2007 7:40 PM | Report abuse
Posted by: Rich Gibbs | August 14, 2007 11:48 PM | Report abuse
Posted by: Robert | August 15, 2007 7:45 AM | Report abuse
Posted by: College Park | August 15, 2007 10:34 AM | Report abuse
Posted by: Stuart | August 15, 2007 11:08 AM | Report abuse
Posted by: antibozo | August 15, 2007 1:58 PM | Report abuse
Posted by: Rick | August 15, 2007 4:27 PM | Report abuse
Posted by: Rich Gibbs | August 17, 2007 4:44 PM | Report abuse
Posted by: Sally, software developer | August 28, 2007 6:39 AM | Report abuse
The comments to this entry are closed.