Microsoft Fixes Eight Security Flaws
Microsoft today pushed out software updates to plug at least eight critical security holes in computers powered by its various Windows operating systems. The patches are available through Windows Update or via Automatic Updates.
The flaws were addressed in a bundle of five patches, each of which earned Microsoft's most dire "critical" rating, meaning they are serious enough that attackers could break into systems without any help from users.
"There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor," Kandek said of Microsoft's flagship operating system, to be officially released to retailers on Oct. 22.
Microsoft also patched a couple of vulnerabilities in the way that Windows processes certain media file formats -- such as .MP3 audio files -- that could allow attackers to silently drop malicious software on a user's system just by convincing the user to open a booby-trapped music file.
In addition, Microsoft also is grappling with several vulnerabilities that attack fundamental flaws in the way Windows handles Internet communications. One patch released today addresses a critical weakness in the way certain Windows systems process incoming packets of data. Andrew Storms, director of security operations for San Francisco based security firm nCircle, said attackers could use this flaw to cause Windows systems to hang or crash, merely by sending the targeted PC specially-crafted data packets. Microsoft says under certain, more rare circumstances, attackers may be able to leverage this flaw to install software on the victim's PC.
Another patch released today fixes a problem with the way the built-in wireless capability in Windows works. Microsoft maintains that this flaw, also, could be tricky for attackers to exploit. But Storms said attackers and security researchers are likely to focus on these networking flaws because they are "rarer and sexier" than more common -- albeit more dangerous -- security holes, such as file format vulnerabilities.
To make matters worse, it appears that exploit code showing would-be attackers and pranksters alike how to bring about the dreaded blue screen of death, from a separate, newly discovered Windows networking vulnerability was posted online this week. According to an alert published by the SANS Internet Storm Center, the exploit code can cause a BSOD on Windows Vista, Windows 7 and Windows Server 2008 systems that have Windows file-sharing enabled. Microsoft has yet to address this vulnerability with either a security advisory or a software update.
Finally, Redmond also is urging Web site operators who use Microsoft Internet Information Services (IIS) servers to take special steps to block attackers from exploiting a newly discovered security flaw in that product line. Microsoft issued an advisory last week noting that hackers were already exploiting this flaw to break into vulnerable IIS servers, and urging customers to implement stopgap measures to block the threat until it can issue a patch for the problem.
As always, please drop a line in the comments section below if you experience any problems downloading or installing these updates.
September 8, 2009; 4:38 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: More Business Banking Victims Speak Out
Next: Future Firefox to Nag Users on Insecure Plug-ins
Posted by: peterpallesen | September 9, 2009 8:21 AM | Report abuse
Posted by: TooManyPeople | September 9, 2009 9:04 AM | Report abuse
Posted by: tgoglia | September 9, 2009 1:53 PM | Report abuse
Posted by: presto668 | September 9, 2009 4:00 PM | Report abuse
Posted by: Ricardo3 | September 9, 2009 7:10 PM | Report abuse
Posted by: dlkimura | September 9, 2009 8:38 PM | Report abuse
Posted by: ntta | September 10, 2009 12:46 AM | Report abuse
The comments to this entry are closed.