Microsoft plugs 15 holes in Windows, Office
Microsoft on Tuesday released software updates to fix at least 15 security flaws in Windows, Windows Server and Microsoft Office. One of the patches addresses a flaw so serious that users could find their Windows PCs compromised just by visiting booby-trapped Web sites.
Richie Lai, director of vulnerability research for patch management firm Qualys, said the most dangerous vulnerability addressed in this month's updates is a flaw in the way Windows handles so-called "embedded font" files. An attacker could stitch specially made embedded fonts into a Web page and use this flaw to install malicious software when people merely browse the site with Internet Explorer on Windows 2000, Windows XP or Windows Server 2003 systems, Lai said.
Microsoft said it believes hackers will quickly figure out a way to exploit this flaw for criminal gain. Andrew Storms, director of security operations for San Francisco-based security firm nCircle, agreed, saying the novelty value of this bug is likely to attract many researchers.
"A lot of people will try to be the first to publicly post exploit code," Storms said.
A pair of patches for Microsoft Word and Excel products fix a total of nine vulnerabilities in PC and Mac versions of Office. Affected versions include Office XP, Office 2003, Office 2004 for Mac and Office 2008 for Mac.
The two other critical patches fix dangerous flaws that may be a bit harder to exploit. A vulnerability in the way that Windows Vista and Windows Server 2008 look for connected devices such as cameras and printers could be used by attackers to install malicious software, but only if the attacker is on the same network as the victim, and then probably only if the targeted system is unprotected by a firewall, Qualys's Richie said.
The other critical vulnerability, a bug in the license logging server, only resides in Windows 2000 Server systems, and also can be much less of a threat if the target is protected by some type of software or hardware-based firewall.
Windows 7 users can rest easy (for now), as none of these vulnerabilities affects Microsoft's flagship operating system.
Updates are available through Automatic Updates or via the Windows Update Web site. As always, please drop a note in the comments section below if you have any problems downloading or installing these patches.
November 10, 2009; 5:22 PM ET
Categories: New Patches , Safety Tips | Tags: patch tuesday, windows
Save & Share: Previous: Eight indicted in $9M RBS WorldPay heist
Next: A year later: A look back at McColo
Posted by: MRGB | November 11, 2009 1:13 AM | Report abuse
Posted by: TeresaBinstock | November 11, 2009 6:56 AM | Report abuse
Posted by: tojo45 | November 11, 2009 9:04 AM | Report abuse
Posted by: pb2009 | November 11, 2009 11:08 AM | Report abuse
Posted by: vintage51 | November 11, 2009 11:17 AM | Report abuse
Posted by: pb2009 | November 11, 2009 11:25 AM | Report abuse
Posted by: Bartolo1 | November 11, 2009 12:53 PM | Report abuse
Posted by: clogwearer | November 12, 2009 12:45 AM | Report abuse
Posted by: jeremyharewood | November 12, 2009 1:27 PM | Report abuse
Posted by: n3ujj | November 12, 2009 3:45 PM | Report abuse
Posted by: rtd50 | November 16, 2009 1:17 PM | Report abuse
The comments to this entry are closed.