Network News

X My Profile
View More Activity

Microsoft Plugs at Least 28 Security Holes

Microsoft has an early holiday present for Windows users: A batch of eight software updates that plug at least 28 security holes in the widely-used operating system and other Microsoft products.

Six out of eight of the update bundles earned a "critical" rating, meaning Microsoft views these flaws as so serious that attackers could use them to break into vulnerable machines without any help from victims, save perhaps for convincing those users to visit a malicious or hacked Web site.

A critical update for Internet Explorer fixes at least four flaws in the popular browser (both IE6 and IE7). Another patch bundle addresses five vulnerabilities that can be exploited through ActiveX controls, a feature specific mainly to IE.

Microsoft also issued patches to fix a pair of flaws in the way Windows handles "Windows Metafile" or WMF image files, vulnerabilities that once again could be exploited when an unpatched Windows user visits a malicious site. A WMF flaw was to blame for a massive series of attacks back in 2006, wherein criminals stitched computer code to exploit the flaw into thousands of legitimate Web sites they had hacked.

Microsoft said one of the ActiveX flaws had been publicly disclosed prior to these updates. According to Ben Greenbaum, senior research manager for Symantec Security Response, attackers already have a leg up in figuring out how to exploit it.

"The Active X...vulnerability was first reported to Microsoft by Symantec Security Response when Response experts observed exploitation of the vulnerability in our honeypots," Greenbaum said. "Attackers will continue to employ sites that users trust - including social networking sites, Internet forums, or media sharing sites - to get users to click on links that take them to corrupted or inserted content that includes the attack."

Two other critical updates address a total of 11 security flaws in Microsoft Office, most of which Redmond says can be exploited merely by convincing a user to open a poisoned Office document, such as a Microsoft Word file.

In addition, Microsoft released a security advisory today warning customers that Redmond is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2.

For a look at the rest of the flaws fixed this month, check out this December roundup.

Meanwhile, please drop a note in the comments section below if any of these updates appear to create problems for your system after installation.

By Brian Krebs  |  December 9, 2008; 2:43 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Report: Cybercrime is Winning the Battle Over Cyberlaw
Next: Microsoft Investigating Reports of New IE7 Exploit


I'm curious about the two Office 2000 Security Patches. I'm using O2K on Windows XP with SP3. When I ran Office Update I got the report my computer is up to date and I need no new patches. Yet, patches for O2K Word and Excel were released today. My questions, do I need them? Should I manually download and install them anyway? Are these only for XP SP2 or previous? Strange thing this.
Brian: Thanks much for your column. I read it daily.

Posted by: slummo | December 9, 2008 9:52 PM | Report abuse

To Slumno: According to Secunia and Word 2000 and Excel 2000 _ARE_ vulnerable and needs to be patched. Direct to links to the appropriate patches are in the Secunia advisories.

Posted by: blackdemin | December 9, 2008 11:27 PM | Report abuse

After installing all of the updates on a new Dell with Vista, my computer hung up after reboot. It said "updating configuration" but the progress bar never moved past 0%. Worked fine after reboot.

Posted by: pj48 | December 9, 2008 11:38 PM | Report abuse

Slummo, Office updates for every supported version of Office other than 2000 can be had through Microsoft/Windows update, but for whatever reason, to grab Office2000 updates, you need to visit Office Update:

and let it scan for available updates. You may need the install CD handy, also.

Posted by: Brian Krebs | December 10, 2008 1:10 AM | Report abuse

Updating Office 2000 is more complicated than Office XP or Office 2003. Patches for those newer versions of Office are grouped with the usual batch of Windows fixes. Office 2000 uses the older and separate Office Update process.

When patching, make sure the only thing running is a single Internet Explorer window. Having Word, Excel, or any other Office product open is not a good idea.

You have to use Internet Explorer and you will need to allow ActiveX to run in this domain (i.e. add * to Trusted Sites zone). After you arrive at ,
click on the link for "Office Update" in the upper left-hand corner. If the Genuine Office Validation ActiveX control is not already installed on your system, Microsoft will insist on installing it and running it beforehand.

Prior to installing the updates, you *will* need CD #1 of your Office 2000 product. A pop-up dialog box will ask you where your installation files are. The only exception is if the installation files are on your hard drive and you can tell the update process to look for them there.

The update process briefly looks at the CD and then proceeds to actually running the patches. The CD's Office install program does NOT appear.

Posted by: taskforceken | December 10, 2008 3:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company