Network News

X My Profile
View More Activity

Microsoft Patches Six Security Holes

Microsoft today issued four updates to fix at least six security flaws in its Windows operating system and Office software. The bundle includes a patch for a critical flaw that hackers already are exploiting to break into vulnerable Windows systems.

The latest updates are available through Microsoft/Windows Update, or via Automatic Updates.

Four of the vulnerabilities fixed in today's roundup earned Microsoft's most dire "critical" label, which means hackers could use them to break into Windows systems with little or no help from the user, save from convincing the user into clicking on a link or opening a file or e-mail.

Among the most serious of the critical updates is a fix for a known flaw in Microsoft's Jet Database Engine, a component built into Windows 2000, Windows XP and Windows Server 2003 that provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Instructions showing attackers how to exploit this flaw have been available online since November 2007, and Microsoft has acknowledged that cyber crooks are actively attacking this vulnerability, which can be exploited by convincing people to open malicious database files (those ending in ".mdb").

The other three critical vulnerabilities reside in Microsoft Office applications and affect nearly every version of Office, including Office 2007. One of the updates even affects Office applications such as Word Viewer 2003 and Office 2004/2008 for Mac.

People who still run Microsoft Office 2000 will not be able to get the Office updates through Microsoft/Windows Update or through Automatic Updates. Office 2000 users will need to pay a special visit to the Office Update page and let the site scan for missing updates. Depending on which installation option chosen, Office 2000 users may need to have the original Office installation disk handy.

Finally, if you run Windows XP and have not already installed Service Pack 3, Microsoft is apt to offer it to you if you scan for updates or switch on Automatic Updates. Given the large number of people who have reported problems after installing Service Pack 3 -- and the tiny benefit users receive from installing the potentially destabilizing update -- I'd urge XP users to avoid the service pack for now. Hopefully, over the next few days I can compile a list of the most common sources of SP3 installation problems.

For those who want to go ahead anyway, or for those who have already installed SP3 and are experiencing problems, check out these two links. The first describes a common reboot loop problem experienced by many users who install SP3 on a Windows XP system powered by an AMD processor. The second is a massively long Microsoft support thread that essentially reminds people that Microsoft provides free online (chat and e-mail) and telephone based support for people having trouble installing Service Pack 3. The toll-free support phone number is (866) 234-6020.

Update, May 14, 4:29 p.m. ET: I just received this clarification from Microsoft, about the situations in which Windows XP users would be offered Service Pack 3 in conjunction with this month's updates: "When visiting the Windows Update Web site, Windows XP customers have the option to run either an "Express" or "Custom" check for available updates. Selecting "Express" will take XP SP2 customers to a screen that lists only XP SP3, since it is the default install. Selecting "custom" will present the customer with more options. Windows XP customers who are set to receive automatic updates will automatically receive the relevant XP SP2 security updates -until XP SP3 is published to Automatic Update. This process is by design as and worked the same way when XP SP2 was released."

By Brian Krebs  |  May 13, 2008; 3:30 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Online Sellers: Beware of Fake Check Scams
Next: Three Charged With Hacking Dave & Buster's Chain


Uh oh, the only patch offered is SP3. It says after that is installed I should check back for additional updates. Looks like I won't be able to get any more patches until I install SP3. What's the deal here?

Posted by: gerryrigged | May 13, 2008 3:43 PM | Report abuse

I believe if you wait for Automatic Updates for this month's patch cycle, you should not be offered SP3; my understanding is that SP3 is currently being pushed only through the MS Update website (MS says it will start pushing SP3 through Automatic Updates only in the 'summer' sometime (June?)). So if you want to avoid SP3, don't get this month's patches from the MS Update site, which will first force you to get SP3. But if you reboot, Automatic Updates should pick up just this month's patches.

Posted by: Anonymous | May 13, 2008 3:55 PM | Report abuse

And just to be sure you don't have SP3 foisted on you, you can also change your settings on Automatic Updates to 'download updates but let me choose when to install them'

Posted by: Anonymous | May 13, 2008 4:00 PM | Report abuse

When I run MS Update it tells me that SP3 is available and recommends installing it but offers the option to check for other updates without installing SP3. (Note: I am in the UK but I wouldn't have thought that would make any difference.)

It appears that it may only be HP machines with AMD CPUs that have problems with SP3. I have installed it on two laptops (with AMD CPUs!) with absolutely no problems. However, if you have the bandwidth, I recommend downloading the full patch or the CD ISO image, disconnecting the machine from the Internet/network and shutting down any firewall, anti-virus and anti-malware applications before installation. If the machine has been running for a while, a reboot prior to installation also does not hurt!

Posted by: Anonymous | May 14, 2008 5:44 AM | Report abuse

I believe the SP3 update problem has been identified, but Your Google May Vary. Users running IE8Beta are experiencing the crash, and users who are using IE6 will be forced to IE7 and not able to return.

I installed the SP3 update with no difficulty on my HP laptop with an AMD processor.

Posted by: Anonymous | May 14, 2008 8:49 AM | Report abuse

gerryrigged wrote: "Uh oh, the only patch offered is SP3."


anonymous wrote: "When I run MS Update it tells me that SP3 is available and recommends installing it but offers the option to check for other updates without installing SP3."

Incredibly, I have seen both behaviors when using MS Updates via IE 7 using the same OS and application image on the same type of machine! I think that Microsoft is still sorting things out with this service pack update and, if not critical to your work or machine security, it is probably a good idea to grab whatever critical updates you can and postpone the service pack upgrade for a short while.

One place to start your research on critical updates w/o having to be subject to the whims of the Microsoft Update tool:

Posted by: C.B. | May 14, 2008 9:26 AM | Report abuse

I installed XP SP3 on two systems when it first became available on Microsoft Update last week, a desk top and a lap top. This week, the only update on the Microsoft Update site is the monthly "malicious software" thing. There are no other available updates for either of my computers. It appears SP3 must have included the new patches that are now available as of this week, but your report doesn't say that, Brian.

Posted by: Jackson | May 14, 2008 4:53 PM | Report abuse

Corel QuattroPro10 and WordPerfect10 have failed to open documents after a techie gratuitously upgraded my computer to SP3. The programs will load, but won't open documents; they freeze instead. The programs worked fine on SP2 with all its patches. GRRRR.

Posted by: JayinPa | May 14, 2008 9:02 PM | Report abuse

My computer crashed when I tried to download the updates (not SP3). Does anyone have any experience with Norton Antivirus causing this kind of problem?

Posted by: JB | May 14, 2008 10:04 PM | Report abuse

I downloaded SP3 via Notify me but dont just do it. It had a wizard and told me to close all other etc but I couldnt and it cancelled. then I went to Updates and it said it had downloaded it and was ready to install so I did it wizard with everything open updates etc and all security running. Had done housekeep prior - cleared cache scanned with Anti virus spyware and defrag.
Went alright but lost my connection - connected but ISP didnt recognise my user etc. This happened when I got IE7 too 5 times so rolled back to IE6. Understand now cant ever get 7 but since use FF dont need it.
On add/remove - all those many patches have disappeared along with SP2 - only shows SP3 but updates say cancelled. Wonder when it will catch up. Only other patch was the tool for May. Hope that helps I am average user.

Posted by: BigVal | May 15, 2008 12:06 AM | Report abuse

security update made Microsoft Word stop working!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Posted by: Anonymous | May 15, 2008 9:34 PM | Report abuse

I tried to install XP SP3 last week and had the restart problem, so I went into Safe Mode and uninstalled it. This past weekend HP sent me an update that allowed me to install SP3 and so far no problems.

Compaq SR2020NX Presario Media Center Desktop PC with AMD Athlon 64 Processor

Posted by: mdyoung | May 27, 2008 10:32 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company