Microsoft Plugs at Least 28 Security Holes
Microsoft has an early holiday present for Windows users: A batch of eight software updates that plug at least 28 security holes in the widely-used operating system and other Microsoft products.
Six out of eight of the update bundles earned a "critical" rating, meaning Microsoft views these flaws as so serious that attackers could use them to break into vulnerable machines without any help from victims, save perhaps for convincing those users to visit a malicious or hacked Web site.
A critical update for Internet Explorer fixes at least four flaws in the popular browser (both IE6 and IE7). Another patch bundle addresses five vulnerabilities that can be exploited through ActiveX controls, a feature specific mainly to IE.
Microsoft also issued patches to fix a pair of flaws in the way Windows handles "Windows Metafile" or WMF image files, vulnerabilities that once again could be exploited when an unpatched Windows user visits a malicious site. A WMF flaw was to blame for a massive series of attacks back in 2006, wherein criminals stitched computer code to exploit the flaw into thousands of legitimate Web sites they had hacked.
Microsoft said one of the ActiveX flaws had been publicly disclosed prior to these updates. According to Ben Greenbaum, senior research manager for Symantec Security Response, attackers already have a leg up in figuring out how to exploit it.
"The Active X...vulnerability was first reported to Microsoft by Symantec Security Response when Response experts observed exploitation of the vulnerability in our honeypots," Greenbaum said. "Attackers will continue to employ sites that users trust - including social networking sites, Internet forums, or media sharing sites - to get users to click on links that take them to corrupted or inserted content that includes the attack."
Two other critical updates address a total of 11 security flaws in Microsoft Office, most of which Redmond says can be exploited merely by convincing a user to open a poisoned Office document, such as a Microsoft Word file.
In addition, Microsoft released a security advisory today warning customers that Redmond is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2.
For a look at the rest of the flaws fixed this month, check out this December roundup.
Meanwhile, please drop a note in the comments section below if any of these updates appear to create problems for your system after installation.
December 9, 2008; 2:43 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Report: Cybercrime is Winning the Battle Over Cyberlaw
Next: Microsoft Investigating Reports of New IE7 Exploit
Posted by: slummo | December 9, 2008 9:52 PM | Report abuse
Posted by: blackdemin | December 9, 2008 11:27 PM | Report abuse
Posted by: pj48 | December 9, 2008 11:38 PM | Report abuse
Posted by: Brian Krebs | December 10, 2008 1:10 AM | Report abuse
Posted by: taskforceken | December 10, 2008 3:34 PM | Report abuse
The comments to this entry are closed.