Network News

X My Profile
View More Activity

Microsoft Fixes Eight Security Flaws

Microsoft today pushed out software updates to plug at least eight critical security holes in computers powered by its various Windows operating systems. The patches are available through Windows Update or via Automatic Updates.

The flaws were addressed in a bundle of five patches, each of which earned Microsoft's most dire "critical" rating, meaning they are serious enough that attackers could break into systems without any help from users.

One particularly dangerous flaw covered by this month's patch batch is a problem with the way Windows handles Javascript. While this flaw stems from a faulty component of the Windows operating system, it would most likely be exploitable through Internet Explorer versions 6, 7 and 8, said Wolfgang Kandek, chief technology officer at software security provider Qualys. The flaw resides in every version of Windows except Windows 7. In fact, none of the vulnerabilities patched today affect Windows 7, Kandek said.

"There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor," Kandek said of Microsoft's flagship operating system, to be officially released to retailers on Oct. 22.

Microsoft also patched a couple of vulnerabilities in the way that Windows processes certain media file formats -- such as .MP3 audio files -- that could allow attackers to silently drop malicious software on a user's system just by convincing the user to open a booby-trapped music file.

In addition, Microsoft also is grappling with several vulnerabilities that attack fundamental flaws in the way Windows handles Internet communications. One patch released today addresses a critical weakness in the way certain Windows systems process incoming packets of data. Andrew Storms, director of security operations for San Francisco based security firm nCircle, said attackers could use this flaw to cause Windows systems to hang or crash, merely by sending the targeted PC specially-crafted data packets. Microsoft says under certain, more rare circumstances, attackers may be able to leverage this flaw to install software on the victim's PC.

Another patch released today fixes a problem with the way the built-in wireless capability in Windows works. Microsoft maintains that this flaw, also, could be tricky for attackers to exploit. But Storms said attackers and security researchers are likely to focus on these networking flaws because they are "rarer and sexier" than more common -- albeit more dangerous -- security holes, such as file format vulnerabilities.

To make matters worse, it appears that exploit code showing would-be attackers and pranksters alike how to bring about the dreaded blue screen of death, from a separate, newly discovered Windows networking vulnerability was posted online this week. According to an alert published by the SANS Internet Storm Center, the exploit code can cause a BSOD on Windows Vista, Windows 7 and Windows Server 2008 systems that have Windows file-sharing enabled. Microsoft has yet to address this vulnerability with either a security advisory or a software update.

Finally, Redmond also is urging Web site operators who use Microsoft Internet Information Services (IIS) servers to take special steps to block attackers from exploiting a newly discovered security flaw in that product line. Microsoft issued an advisory last week noting that hackers were already exploiting this flaw to break into vulnerable IIS servers, and urging customers to implement stopgap measures to block the threat until it can issue a patch for the problem.

As always, please drop a line in the comments section below if you experience any problems downloading or installing these updates.

By Brian Krebs  |  September 8, 2009; 4:38 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: More Business Banking Victims Speak Out
Next: Future Firefox to Nag Users on Insecure Plug-ins


As always, thanks Brian! You know, it came into my mind as I read your always comprehensive analysis of these Windows patch updates, if it weren't for Windows and its buggy software, you might not be out of a job, but it would be a lot less interesting! :-))

Posted by: peterpallesen | September 9, 2009 8:21 AM | Report abuse

Thanks for the warnings BUT, is this progress? Having such a potentially dangerous device (a PC) and having to pay for the associated inconveniences is a pathetic technological "advancement." As soon as possible, my at-home PC is going in the trash bin. Pay TV is next.

Posted by: TooManyPeople | September 9, 2009 9:04 AM | Report abuse

Secure your windows machine- install Ubuntu!

Posted by: tgoglia | September 9, 2009 1:53 PM | Report abuse

TooManyPeople wrote:
"Having such a potentially dangerous device (a PC) and having to pay for the associated inconveniences is a pathetic technological "advancement.""

Dangerous device? It's not like it's going to kill your dog.

Posted by: presto668 | September 9, 2009 4:00 PM | Report abuse

There's a free download of the Paragon Rescue disk until midnight of 9/9/09. It's a promotional offer. You have to install it by midnight tonight, because the activation code is only valid until midnight. The download requires you to burn a rescue disk. I tried it, and it works great!

Posted by: Ricardo3 | September 9, 2009 7:10 PM | Report abuse

Here's an idea: let Steve Jobs run Microsoft and what's his face can take a long vacation...

Oh, yeah, time to check for more CRITICAL updates...

Posted by: dlkimura | September 9, 2009 8:38 PM | Report abuse

Please also cover the security patch on Mac
I would like to know that too as I heard that there are some on Mac platform.

Posted by: ntta | September 10, 2009 12:46 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company