Network News

X My Profile
View More Activity

Microsoft Issues Record Number of Security Updates

Microsoft Corp. on Tuesday issued an unprecedented number of updates to fix security problems in PCs powered by its Windows operating systems and other software: The software giant released patches to plug at least 34 security holes, the highest number of vulnerabilities it has ever addressed in a single month.

October's batch of patches offer a little something for all Windows users, fixing security issues in Windows applications from the Internet Explorer (IE) browser and Microsoft Silverlight, to Microsoft's Internet Information Services (IIS) server, said Tyler Reguly, lead security research engineer at security vendor nCircle.

"Again we see a month of client-side issues in almost every major Microsoft product," Reguly said. "Whether you run Office, Windows Media Player, Internet Explorer, .NET or just Windows itself, there's a vulnerability for you."

Two-thirds of security holes addressed this month earned Microsoft's "critical" rating - it's most severe. Microsoft labels a security flaw critical if bad guys can exploit it remotely to take complete control over a Windows system, without any help from the victim.

Compounding that threat is the fact that information about how one might exploit several of these flaws has already been released online, said Woflgang Kandek, chief technology officer for Qualys, a software update management firm.

"The descriptions in a number of updates today include some kind of indication that attackers were already aware of these vulnerabilities, and if they're not exploiting them right now would be fairly easy to come up with exploits for most of them," Kandek said.

Among the flaws patched in this month's release is a set of vulnerabilities in the file-sharing capability of Windows Vista and Windows Server 2008 systems. This issue earned a great deal of attention last month because proof-of-concept exploits that attackers might use to figure out how to attack the flaw were posted on the Web.

Microsoft also issued a patch to address a remarkable security weakness in a Microsoft component responsible for handling Web site encryption certificates (also known as "secure sockets layer" technology, SSL is what prevents other users on a network from eavesdropping on your sensitive communications, such as with your bank's Web site). On Monday, someone published online a template that other hackers could used to forge SSL certificates for Paypal.com.

It would hardly be a Patch Tuesday without a bundle of security updates for Internet Explorer, and this month's batch doesn't disappoint. Microsoft fixed at least four IE-specific vulnerabilities, including one for an IE flaw that was publicly disclosed prior to today. Fixes are available for all versions of Internet Explorer, including IE 6, 7 and 8 (as well as the release-to-manufacturer version of IE8 that ships with Windows 7).

Updates are available via Windows Update Web site, or through Automatic Updates. As always, please drop us a note in the comments section below if you experience any funky problems with your Windows system after applying these updates.

By Brian Krebs  |  October 13, 2009; 4:25 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: microsoft, patch tuesday, windows  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Avoid Windows Malware: Bank on a Live CD
Next: Adobe Plugs 29 Critical Reader, Acrobat Holes

Comments

I just downloaded all these patches and discovered that my old fashioned disc drive no longer works. When I put in a disk I got the dreaded blue screen which told me "a driver has overrun a stack based buffer." It proceeded to dump physical memory onto the disc, then restarted the computer. When I tried to use the disc, which only has a Word Perfect data file on it, I got the same result. Can anyone help?

Posted by: polprof | October 13, 2009 5:34 PM | Report abuse

Blue Screen Error - Running Reg Mechanic to see what damage it did to my registry.

Posted by: jmacone | October 14, 2009 4:03 AM | Report abuse

Please, guys, as Brian always says: Tell us what operating system you are having trouble with for any group of patches.

Posted by: Bartolo1 | October 14, 2009 8:14 AM | Report abuse

And why are people still even running Windows? It's almost cliche to suggest that Mac is better, but it clearly is. Even the US Army is running Mac servers now due to security issues. I wish that corporate America would wake up. Of course the IT guys would hate Mac because it would reduce their job security. For instance, in this article, there was a quote from a guy from a "software update management firm" .. what the heck is THAT? Why do companies pay money for services that really aren't that difficult to handle in-house. Does a company really need to pay someone to update their software? The IT glut is ridiculous -- if Windows were obsolete, corporations could save millions on security flaws, compatibility issues, network admin, etc. Boycott Windows. They STILL can't get it right, even after copying Mac for twenty+ years.

Posted by: superacidjax | October 14, 2009 10:55 AM | Report abuse

The Mac vs PC vs Linux debate is getting old. All OSes have security issues. I get as many patches in Linux as I get in Windows. Microsoft just gets more press for it because it's controversial and fires up debate every time, driving traffic to their news sites.

Download the update and be done with it. If you're complaining because running your 8 year old hard drive is now not supported you should be more worried about your hardware crashing than some hacker coming and running code that destroys your data. HDDs are not meant to live past 750,000 - 1.5M hours. Security patches are a part of having a computer. They exist because there's a lucrative underground industry there or because 14 year old hackers in Russia and Korea have nothing better to do.

Posted by: rlescaille | October 14, 2009 1:04 PM | Report abuse

Brian, I use Returnil, which is a light virtualization program that discards all changes made during a session on reboot. While Returnil is "on" no changes to the registry can be made, no new files written AT ALL to the protected partition. For me, I feel safe with this and a few other measures. Starting with a clean system, then protected by Returnil, it seems a bit more user-friendly for the average user than a Live CD. With light virtualization programs (like Returnil, Deep Freeze, etc.), if one starts out with a completely clean system - you are protected, I think, to a state very close to a linux-based CD.

Posted by: SecureSafe | October 14, 2009 1:53 PM | Report abuse

Thanks again, Brian. No problem with the patches, but I wish you had given a heads-up about the time it takes. Even with DSL, they took 45 minutes to download and install.

Posted by: JBV1 | October 14, 2009 2:13 PM | Report abuse

My automatic update has still not loaded these updates. I have noticed in the past that it usually takes until Wednesday or Thursday for them to happen, but none so far. (Update set to run @ noon.)

Posted by: elyrest | October 15, 2009 12:36 PM | Report abuse

My father just did these updates on his computer (2004 DELL desktop DIMENSION 3000 - CELERON; INTEL CELERON PROCESSOR 320 (2.40GHz, 533 FSB), MICROSOFT WINDOWS XP HOME EDITION) and now his computer won't boot up.

He's getting the message, "windows could not start because the following file is missing or corrupt WINDOWS\SYSTEM32\CONFIG\SYSTEM"

So I figure the updates corrupted his registry, but I don't know for certain. If anyone else has experienced the same issue we're getting, it would be nice to know.

Posted by: koi123 | October 16, 2009 9:41 AM | Report abuse

IE 7 on my XP SP2 PC is now crashing when it closes. I'm going to send one report to MS and install IE 8 since that's probably what they'll tell me to do.

Posted by: SingleBbl | October 16, 2009 10:26 AM | Report abuse

Everytime I do the window updates my computer goes off line. I have no access to the Internet. I have had to use a back up date to an earlier time to get back on line. Any suggestions. I have Vista.

Posted by: busy_mom18 | October 19, 2009 8:33 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company