Network News

X My Profile
View More Activity

Microsoft Patches Eight Security Holes

Microsoft today released four security updates to plug at least eight security holes in its Windows operating systems and other software. The updates all earned Microsoft's most dire "critical" rating, meaning attackers can exploit the vulnerabilities to break into Windows PCs with little or no help from users.

The most important and urgent of these patches addresses five vulnerabilities in the Windows graphics device interface (GDI), a component of Windows that is used in rendering certain types of images. Hackers could exploit this flaw to compromise Windows PCs just by convincing users to visit a malicious or hacked Web site with Internet Explorer.

Security experts are warning Windows users not to let any grass grow under their feet before applying this patch. The last time Microsoft issued a security update for GDI, cyber crooks were spotted exploiting the flaw within two days of the patch release.

"If I was a bad guy, this is the patch I'd be reverse-engineering as quickly as possible," said Dave Marcus, director of security research for McAfee Avert Labs. Marcus added that while the GDI flaws are mainly a threat to Internet Explorer users who have not applied the patch, the vulnerable Windows components may be exploitable through other applications.

Microsoft also patched a security hole present in Office XP, Office 2003, Office 2007, and Office OneNote2007. Usually, when Microsoft releases Office updates, they are most dangerous for Office 2000 users, but this time around the vulnerability doesn't appear to affect that version.

The two other critical updates fix security weaknesses with Windows Media Player and Windows Media Encoder.

The updates are available through Microsoft Update or via Automatic Updates. After visiting Microsoft Update with my Windows Vista box, Microsoft said my machine needed three "important" updates, plus two "recommended" patches, including a Windows Mail junk e-mail tweak and Microsoft's regular "compatibility update" to make Vista play nicer with other applications. For whatever reason, the monthly updates for Microsoft's malicious software removal tool failed to install. Updating offered my Windows XP system only the fix for the GDI problems, along with the usual updates for the Microsoft malware removal tool, both of which installed fine with no apparent ill-effects or problems.

As always, please drop a line in the comments section below if you experience any problems applying these patches.

By Brian Krebs  |  September 9, 2008; 3:51 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: EstDomains: A Sordid History and a Storied CEO
Next: Security Updates for iPod Touch, iTunes and QuickTime

Comments

Brian, am I to assume by your post that the Windows Media Player fix did not install on your machine running XP? Shouldn't it or was this simply an oversight on your part?

The reason I ask is that I have been having problems with my Windows updates process since installing SP3. The worst part about the problem (which I have been in contact with Microsoft support with no resolution to date) is that I would not have known there was a problem unless I read your blog (a HUGE thank you!) and took the time to make sure the updates actually installed (by going to "Set Program Access and Defaults" then "Add and Remove Programs" and making sure the "Show Updates" box is checked and looking at what shows under XP and Explorer -- this is for any readers who do not know how to check if updates are being downloaded and installed).

Based on what I have read the problem I have been having since installing SP3 is not isolated. Sadly I wonder if others think Automatic Updates (and also the Microsoft Update web site -- this shows I am not missing any critical updates when in fact I am) is working when in fact it is not since no error message shows.

Most people think Windows updates is automatic, which in most cases it should be, but one should still make sure the updates are actually downloaded and installed.

Posted by: John | September 9, 2008 7:01 PM | Report abuse

Hello, Brian,

Keep up the good work by making all of us be more careful and staying safe out there in cyber space! Because of your professional advice and knowledge, I have learned so much and thank you for it!

Ingrid E.

Posted by: Ingrid E. | September 9, 2008 9:47 PM | Report abuse

It's always wise to verify installation status.

I always check Event Viewer after installing updates. Easiest method to bring it up is to right click "My Computer" on the desktop and normal click "Manage", under "System Tools" click the + to expand into "Event Viewer". Updates will show up under the "System" log as "Windows Update Agent". Doubleclick any of those entries to view details. Examples:

"Installation Successful: Windows successfully installed the following update: Update for Windows Media Player 11 for Windows XP (KB939683)"

or an error

"Installation Failure: Windows failed to install the following update with error 0x80070002: Windows Malicious Software Removal Tool - May 2008 (KB890830)."

Posted by: TJ | September 9, 2008 10:01 PM | Report abuse

I have Windows Media Player 10 on Windows XP Pro SP3. Microsoft Update didn't offer me any Windows Media updates. Does that mean I'm okay, or is Media Player 10 so old that they're not issuing updates for it?

Posted by: William | September 9, 2008 11:50 PM | Report abuse

@John,

I've been having similar problems since applying SP3 to my machine. Since then, I've only been offered updates for Office and none for Windows, not even the Malicious Software Removal Tool...

Same as you, the Web site says I'm up to date as well...

Trying some of the remedial activities found on the Web for the various errors in the logs hasn't helped.

Posted by: scottr | September 10, 2008 1:14 AM | Report abuse

I installed the updates Microsoft said I needed (XP Home - SP 3) and immediately after rebooting I received a message saying I had a hardware error, my sound system was nothing but static, and the OS has slowed to a snail's pace. System restore seems to have stopped working - no matter what date I select it says no changes have been made to my computer. Whatever happened, it's made my computer essentially useless! If I can figure out which updates were actually added I will try to remove them and see if I can get the system to work again before updating one file at a time. Has anyone else experienced this problem?

Posted by: Geo | September 10, 2008 8:26 AM | Report abuse

One of the two comments at Sans is similar to Geo's. This sounds not so good for SP3 folks. I hope more information comes out later, here maybe?

Posted by: Bartolo | September 10, 2008 12:59 PM | Report abuse

@John
@scottr

I have had the exact same problem with SP3 and can find no documentation on this issue. The Office updates are detected and install without problem, but no updates for XP ever show up and the MS Update website says I'm up to date. The only thing I've found is this:

http://support.microsoft.com/kb/943144

However, it did not resolve my problem. If anyone has any ideas, please post!

Posted by: Anonymous | September 10, 2008 1:30 PM | Report abuse

I had problems on Vista Ultimate (not SP2) installing updates as the drive contained corruption errors in large files after restarting to finish installing updates.

Posted by: josef | September 10, 2008 1:59 PM | Report abuse

As I said I am still waiting to hear back from Microsoft Support (it's free in case you are wondering so it shouldn't hurt to contact them -- "Satisfied customers are [my] top priority" they say) although they have not been able to offer a fix as of this time. I was unable to get any of the fixes on various support group forums to remedy my problem. I am hoping Microsoft doesn't tell me to uninstall and reinstall SP3 -- I would rather do manual updates than take this risk.

One thing I have heard that works (although not for me) is using a program called Dial-A-Fix (which shockingly was suggested to someone having update problems by Microsoft support staff). It can be found here (http://djlizard.net/dial-a-fix/) -- it helped a friend of mine having update problems.

Posted by: John | September 10, 2008 2:06 PM | Report abuse

@John

I emailed MS support and have yet to hear back as well. As you said, what is troubling is that there is no indication that anything is wrong, since the Office updates are offered and install properly and there are no error messages. This problem may be more widespread and only relatively savvy users (or readers of BK's sweet blog) would know that something's amiss; the implication is that there may be thousands if not millions of XP SP3 systems that are *not updating* and just nakedly vulnerable. Let's hope MS figures something out ASAP.

Posted by: Anonymous | September 10, 2008 2:33 PM | Report abuse

@William
I also am running Windows Media Player 10 and I didn't get the update. I assume either the exploit only affects WMP 11, or they just don't support WMP 10 anymore.

@Brian (and everyone else)
The guys at heise.de have a a project called Offline Update, which runs a script to download the Microsoft patches/service packs for a particular product you select. I use it to download patches for newly-installed PCs without exposing them to the internet beforehand. You can run the downloader to download the patches/service packs, then run the installer on the PC you want the patches/service packs for. Unfortunately most of their website is in German. But here is the link:

http://www.heise.de/ct/projekte/offlineupdate/

If you google 'ctupdate' its the first result and you can use the "Translate this page" google feature.

Posted by: Stern | September 10, 2008 4:47 PM | Report abuse

I use ZoneAlarm firewall and after updating my Windows XP system with a previous critical security patch I found my internet connection trashed. Attempting to restore my system to its previous state resulted in a full hard drive failure. I lost years of data (banking and tax records, family photos, etc.) and weeks of time reinstalling everything from scratch. My advice to WAPO readers of this column: upgrade carefully and always have a backup before doing so because Microsoft assumes it is the only software on your system and doesn't play well with others!

Posted by: mcfox | September 10, 2008 5:29 PM | Report abuse

Hi Brian; Thank you and all guys posting issues with updates; I have XP Pro SP 3 and after reading all post I verified that all updates have been installed (Automatic Updates On) Only not ALL show when screening the Windows Remove/Add Programs as indicated; Your assistance is invaluable for non geeks like me; THANK YOU ALL

Posted by: demalv | September 10, 2008 6:14 PM | Report abuse

After SP3 installation caused problems on my system, I uninstalled it and turned off Automatic Updates. It works fine for me because I'm careful to update manually once a week. My understanding is that SP3 is mostly for people who have to reinstall XP to allow them to get all the patches at once. If you've been updating all along, there's no pressing need to have it.

Posted by: Elsie | September 11, 2008 5:37 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company