Security Updates for Windows 2000, Instant Messager
Microsoft Corp. released a mercifully light batch of software updates today as part of its regularly scheduled "Patch Tuesday" release cycle. Most Windows users will likely have to install just a single security update this time around. The fixes are available from the Microsoft Update Web site or via automatic updates.
Of the five security bundles Microsoft issued, only one is likely to affect most Windows users. Microsoft said MSN Messenger, an instant messaging program installed by default on all Windows XP computers, contains a security hole that could be exploited when a user accepts a specially crafted chat invitation from an attacker. The same vulnerability also is present in Windows Live Messenger, the newer version of Microsoft's chat software.
According to anti-virus maker Symantec, instructions showing would-be attackers how to exploit this vulnerability already are available online, so if you use this program with any frequency, it's a good idea to apply this patch immediately.
Microsoft also fixed a critical flaw found in Windows 2000 systems. The culprit, once again, is a faulty ActiveX component that could create a serious security threat for anyone surfing the Web with Internet Explorer on a Windows 2000 system. Microsoft said that without the benefit of this latest update, Windows 2000 users could have their machines completely compromised by attackers simply by visiting a specially craft Web site that tries to take advantage of this flaw.
Microsoft is fond of including the following caveat in advisories it issues for nearly any security flaw that can be exploited over the Web: "In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site" [my emphasis added].
This wordage has always annoyed me, because it suggests that if Windows users merely stay away from porn sites and other risky places in the Web's "red light" districts, then they can avoid becoming victims of vulnerabilities like these. While the security advice against wantonly clicking on links is sound and essential for Windows users, attackers these days are just as apt to stitch malicious code into the very fabric of hacked, legitimate Web sites.
In an increasing number of attacks, criminals are effectively bringing the site to the victim. This attack method often involves including attack code in banner advertisements that get fed into large networks that handle the placement of ads running on some of the Internet's biggest Web sites. In such a scenario, the visitor may be visiting a popular site, but if he or she happens to be browsing with an outdated version of IE and one of these tainted ads gets served on the page, there is a very real risk that user's machine will get infected with some kind of nasty, unwanted software.
Update: 3:32 p.m. ET: Added information from Symantec Corp.
September 11, 2007; 2:27 PM ET
Categories: From the Bunker , New Patches , Safety Tips
Save & Share: Previous: Skype Users: Beware of Instant Message Worm
Next: AOL's Free Anti-Virus Switcheroo
The comments to this entry are closed.