Network News

X My Profile
View More Activity

Microsoft Plugs 11 Windows Security Holes

Microsoft today released software updates to plug at least 11 security holes in PCs powered by its Windows operating systems and other software. Windows users can download the fixes either directly through the Microsoft Update Web site or via Automatic Updates.

December's seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw "critical" if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message.

The IE patch is probably the most important update Redmond issued this month, as the vulnerabilities it corrects have the potential to affect the largest number of people. Microsoft said that criminals already exploited one of the IE flaws to remotely compromise IE users.

Microsoft also issued critical updates to fix at least two different problems with the way Windows handles the processing and display of various video and audio files. The first of those is a serious vulnerability in the "Windows media file format" -- chiefly, files that end in ".asf" and ".wmv" -- used principally by the Windows Media Player software bundled with the operating system. Another patch addresses a critical flaw in most versions of "DirectX," a Windows component that handles the display of a variety of video file formats (files that end in ".wav" and ".avi" for example). Again, these are especially dangerous flaws because they can be exploited merely by getting users to view maliciously crafted video files via a Web browser or e-mail.

Of the seven patch bundles released today, only two did not affect Windows Vista systems, suggesting that the vulnerable components were carried over into Vista from older versions of the OS despite the multi-year secure coding review conducted for Vista. That said, two of the bundles were released to plug security holes that were found exclusively in Vista.

Ben Greenbaum, senior security researcher for Symantec Security Response, said while the Vista flaws were concerning, the IE and Windows media format holes are potentially more serious.

"The sheer number of vulnerabilities this month that affect Windows Vista is a concern," Greenbaum said. "The more alarming vulnerabilities are those in Windows Media Format Runtime and Internet Explorer since a successful exploit could occur when a user visits a malicious Web page or when viewing a malicious email. Neither issue requires any further interaction by the victim to exploit, compounding the problem."

By Brian Krebs  |  December 11, 2007; 3:15 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Top 10 Best & Worst Anti-Phishing Web Registrars
Next: New QuickTime Player Fixes 3 Security Flaws

Comments

"By Brian Krebs | December 11, 2007; 3:15 PM ET "

I was sooooo wishing this was an old joke.

"By Brian Krebs | April 1, 1997; 3:15 PM ET "

Posted by: GTexas | December 11, 2007 4:49 PM | Report abuse

no doubt

Posted by: joe | December 11, 2007 9:58 PM | Report abuse

The fake Steve Ballmer comments are just lame attempts to attract blog hits and should be removed please.

Posted by: TJ | December 12, 2007 12:17 AM | Report abuse

"Many programming languages (eg. Fortran) provide a logical data type

and a set of logical operators. For example, Fortran logical variables

can take values ..TRUE. and .FALSE. and support the logical operators

.AND., .OR. and .NOT., according to the rules of Boolean arithmetic.

So, for example

(.TRUE. .AND. ..FALSE.) evaluates to .FALSE.

(.TRUE. .OR. ..FALSE.) evaluates to .TRUE.

(.NOT. .TRUE.) evaluates to .FALSE."

-"http://www.dfanning.com/code_tips/bitwiselogical.html"


On examination of the above statements, I mused over the

poverty of use of available terms in common language.

TRUE AND FALSE evaluates to MAYBE

TRUE OR FALSE evaluates to ABSURD

NOT TRUE evaluates to FALSE or LIE

Thus, the progress of high level machine language interpretation by

humans is still not quite as sophisticated as common literature.

Economy is not necessarily deficient. It should by definition

be sufficient and sustainable.


Posted by: user | December 12, 2007 2:44 AM | Report abuse

@Steve Ballmer: I've asked nicely several times that you stop leaving useless comments that only serve to link to your "blog." I'm done asking.

Posted by: Bk | December 12, 2007 9:35 AM | Report abuse

Mr. Krebs, Your blog postings attract some of the most interesting comments.

I have a question related to this topic: At what point will developers (and their project managers) stop pushing out product that allows others to remotely execute code and/or manipulate a user's computer without their explicit consent? Is this even feasible?

Posted by: C.B. | December 12, 2007 12:20 PM | Report abuse

Has Microsoft ever considered creating some kind of tool that would let you know when a audio/video file you're opening has something malicious in it that was blocked by a patch? Sort of like Mcaffee's SiteAdvisor but more specific to what you're doing (e.g. I have no idea how SiteAdvisor tests sites or how often). It'd at least be a way to throw more shame on the unscrupulous and also warn people about going back to those sites.

Posted by: ugh | December 13, 2007 1:03 AM | Report abuse

I just purchased [at a major discount -- thanks Amazon 'used' books -- they are usually store returns and NOT used at all] Beginning Ubuntu Linux by Keir Thomas.

Store list price is $39.99, but I paid only $18.45 plus $3.99 shipping or $22.44 and the book is barn spanking new and has a double side CD. Side A contains Ubuntu 6.10 codename Edgy Eft. Side B contains the previous version of Ubuntu 6.06.1 LTS codenamed Dapper Drake.

The author claims for those who 'just want to try out Ubuntu, it can be run [more slowly] from the DVD drive in your machine.

When ordering 'Used' books from Amazon, there are always multiple vendors located thruout the USA. The used price can vary but all vendors are 'satisfaction rated' by Amazon based on feedback from purchasers. It is important to read the last line, because in that line if it says [for example] 'may have return mark,' all that is is a magic marker line on the bottom edge of the pages themselves and it is one way of marking a return from a bookstore. The book will be in absolutely new condition. If, on the other hand, that line says 'some highlighting,' that is most likely a used college text.

Prices usually vary significantly and a more expensive 'used book,' does NOT mean a book in better condition, strange as that may seem.

Order from a vendor that is ranked in the 90% and up group and you will be quite happy with the purchase. I usually order from vendors on the East coast, but either way, by REGULAR MAIL, I always get the book within a week and I have yet to get a lemon. Thanks Amazon.

Posted by: brucerealtor | December 13, 2007 9:04 AM | Report abuse

@C.B.

Since humans are imperfect, so is software creation. Symantec has a good write up along these lines (see below). So, patching is simply to be expected. Granted software vendors can and should do all they can to minimize vulnerabilities. Bottom line though, we wouldn't have to worry about this kind of stuff if it were not for the bad guys out there. Same reason for locking your car/house.

Zero-day Vulnerabilities Following the Trailblazers
http://www.symantec.com/enterprise/security_response/weblog/2007/12/0day_vulns_following_the_trail.html

Posted by: TJ | December 13, 2007 1:04 PM | Report abuse

@C.B.

Thank you for the info -- even though I don't run Ichitaro word processing software.

Domo arigato -- daka do, boku wa, Ichitaro ja arimasen. Gomen nasai.

Posted by: brucerealtor | December 13, 2007 8:38 PM | Report abuse

If you read the various IT forums, there are problems related to the patch released on December 11th that cause IE 6 and 7 to crash. This is a known problem, and a hotfix is available for it. Unfortunately, in order to get the hot fix, you must call Microsoft and depending on your PC and level of services available, pay a fee.

So, in other words, they wrote sloppy code to fix sloppy code, and now have more sloppy code that they want you to pay for to fix the problems that never should have existed to begin with.

Google Microsoft and article 939653 for more info about it.

Posted by: Problem with this patch... | December 14, 2007 11:44 AM | Report abuse

...alright then but you people are gonna miss me!

http://fakesteveballmer.blogspot.com

Posted by: Steveballmer | December 15, 2007 1:26 AM | Report abuse

When you attempt to restore your computer using Windows XP and after hitting F8 after starting the system, you get the option:

Work in safe mode [yes] [no] Hit 'no' to go into system restore

AND your computer then says 'system restore is not available,' restart your system and try again

you will be doing that all day long UNLESS you choose 'work in safe mode' [YES] then choose 'all programs' and next choose 'accessories' then 'system tools' then 'system restore' -- restore my system to an earlier time [YES]
-----------------

You might also check to see IF your Security Center has been disabled also.

If it has, go to 'run' & type 'services.msc' without the quotes, then hit enter.

On the right side, scroll down to 'security center' and right click on it. Choose 'properties' and click on it. Then CHANGE 'start up type' from disabled to Automatic and click the start button below that.

Abra kadabra

Posted by: system restore -- when it doesn't work | December 19, 2007 3:20 AM | Report abuse

The safest approach seems to be to use the Firefox browser with the NoScript add-on. Also, the IE Windows update program is very problematic, I being unable to get it to work on my desktop though it does work on my laptop.

Posted by: xx | December 19, 2007 4:36 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company