Network News

X My Profile
View More Activity

Microsoft Plugs Eight Windows Security Holes

Microsoft Corp. on Tuesday pushed out a set of three updates to fix at least eight security vulnerabilities in its Windows operating systems and other software. The patches are available through Windows Update or via Automatic Updates.

Easily the most critical update addresses an image processing flaw present in every supported version of Windows that could be exploited merely by tricking a Windows users into viewing a booby-trapped image on a Web site or sent via e-mail.

According to Eric Schultze, chief technology officer for St. Paul, Minn., based Shavlik Technologies, attackers could use this flaw to install and run malicious software on a victim's system even if the user wasn't logged on using the all-powerful administrator account.

"With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors," Schultze said. "In other words, nasty stuff."

Microsoft rates this vulnerability as "critical," its most serious label, but when I visited Windows Update with my Windows Vista Ultimate system, it classified this as an "important" patch. "Critical" flaws are those that can be exploited without any help from the user, as through an automated computer worm. Flaws earn a lesser "important" rating if their exploitation requires some level of user interaction. Maybe this is just a glitch on Microsoft's side, as I would hardly call visiting a Web site "user interaction" of the sort that would warrant a lesser severity label for this flaw. I should also note that this showed up as an "important" update on my installation of Windows 7 Beta.

In any event, we'll split the difference, and call this a critically important flaw to patch, and applying this update left my Vista system no worse for the wear. But don't wait too long for this one: Microsoft says it is likely that bad guys will soon develop consistent and reliable methods for exploiting this flaw.

Not addressed in this month's batch of patches from Redmond is a critical security hole in Microsoft Excel that hackers have been exploiting for at least three weeks in targeted attacks.

Finally, Microsoft added the prolific Koobface family of malware to its malicious software removal tool, which downloads its updates through Microsoft Update/Automatic Update and runs in the background once a month.

By Brian Krebs  |  March 11, 2009; 6:19 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: excel, microsoft update, patches, wmf  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Sprint: Employee Stole Customer Data
Next: Hacking iTunes Gift Cards, and an iTunes Update

Comments

Brian

Didn't your previous links go directly to Microsoft's specific updates, like Securia's links do?

Those of us running XP may have disputes with Microsoft over 'legitimate' copies of their software and so long as we don't download updates automatically for installation, we avoid Windows GUI. Something that is unavoidable, I believe, using your links.

Posted by: brucerealtor@gmail.com | March 12, 2009 5:39 AM | Report abuse

P.S.

If my former realtor firm uninstalled my home edition and then replaced it with an 'allegedly' valid of their corporate XP Pro, I don't wish to get caught in the middle of whether the firm exceeded the number of copies they could install legitimately.

I understand on Vista that's pretty much a non-issue, as I presume it will also be with Windows 7.

Posted by: brucerealtor@gmail.com | March 12, 2009 5:43 AM | Report abuse

After updating WinVistaHomePrem (32bit)w/ auto updates last night, booted this am to find Norton IS 2009 not functioning and that the two Vista updates and the melicious software program had failed to install. System had been up-to-date per MS and Norton w/ no known problems. Supposedly a shared DLL got messed up. Deleted NIS,ran the Norton Removal tool, installed each failed MS update one at a time and reinstalled NIS..having rebooted after each update. Oh, and had to force the shutdown after each MS Vista update as the shutdowns just ran for minutes w/o ever shutting down.

Posted by: AStMarysConstituient | March 12, 2009 1:56 PM | Report abuse

I had a similar issue as AStMayrsCon..., I have WinXPpro, and next day when I booted up Norton AV 2009 (not NIS)wasn't running at all & I couldn't get it to start. First I figured I would try the standard idea and I just shut down and started it up again and this time all was well. Was wondering what was up and maybe it was the MS updates.

Posted by: MinCT | March 13, 2009 12:55 PM | Report abuse

I'm now trying to restore the third system destroyed by these latest MS updates. In one case I was able to uninstall clean up and have it work, the second I ended up replacing the HD with another that had XP on it, doing a Repair Install and it worked, the third is the laptop I'm trying to get to work again.

My advice is turn the damned updates off!! This is the second set of really defective stuff MS has sent out!! Enough Already !!

Posted by: meldrum_p | March 13, 2009 2:47 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company