Microsoft Plugs Eight Windows Security Holes
Microsoft Corp. on Tuesday pushed out a set of three updates to fix at least eight security vulnerabilities in its Windows operating systems and other software. The patches are available through Windows Update or via Automatic Updates.
Easily the most critical update addresses an image processing flaw present in every supported version of Windows that could be exploited merely by tricking a Windows users into viewing a booby-trapped image on a Web site or sent via e-mail.
According to Eric Schultze, chief technology officer for St. Paul, Minn., based Shavlik Technologies, attackers could use this flaw to install and run malicious software on a victim's system even if the user wasn't logged on using the all-powerful administrator account.
"With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors," Schultze said. "In other words, nasty stuff."
Microsoft rates this vulnerability as "critical," its most serious label, but when I visited Windows Update with my Windows Vista Ultimate system, it classified this as an "important" patch. "Critical" flaws are those that can be exploited without any help from the user, as through an automated computer worm. Flaws earn a lesser "important" rating if their exploitation requires some level of user interaction. Maybe this is just a glitch on Microsoft's side, as I would hardly call visiting a Web site "user interaction" of the sort that would warrant a lesser severity label for this flaw. I should also note that this showed up as an "important" update on my installation of Windows 7 Beta.
In any event, we'll split the difference, and call this a critically important flaw to patch, and applying this update left my Vista system no worse for the wear. But don't wait too long for this one: Microsoft says it is likely that bad guys will soon develop consistent and reliable methods for exploiting this flaw.
Not addressed in this month's batch of patches from Redmond is a critical security hole in Microsoft Excel that hackers have been exploiting for at least three weeks in targeted attacks.
Finally, Microsoft added the prolific Koobface family of malware to its malicious software removal tool, which downloads its updates through Microsoft Update/Automatic Update and runs in the background once a month.
March 11, 2009; 6:19 PM ET
Categories: Latest Warnings , New Patches , Safety Tips | Tags: excel, microsoft update, patches, wmf
Save & Share: Previous: Sprint: Employee Stole Customer Data
Next: Hacking iTunes Gift Cards, and an iTunes Update
Posted by: email@example.com | March 12, 2009 5:39 AM | Report abuse
Posted by: firstname.lastname@example.org | March 12, 2009 5:43 AM | Report abuse
Posted by: AStMarysConstituient | March 12, 2009 1:56 PM | Report abuse
Posted by: MinCT | March 13, 2009 12:55 PM | Report abuse
Posted by: meldrum_p | March 13, 2009 2:47 PM | Report abuse
The comments to this entry are closed.