Network News

X My Profile
View More Activity

Microsoft plugs 15 holes in Windows, Office

Microsoft on Tuesday released software updates to fix at least 15 security flaws in Windows, Windows Server and Microsoft Office. One of the patches addresses a flaw so serious that users could find their Windows PCs compromised just by visiting booby-trapped Web sites.

Richie Lai, director of vulnerability research for patch management firm Qualys, said the most dangerous vulnerability addressed in this month's updates is a flaw in the way Windows handles so-called "embedded font" files. An attacker could stitch specially made embedded fonts into a Web page and use this flaw to install malicious software when people merely browse the site with Internet Explorer on Windows 2000, Windows XP or Windows Server 2003 systems, Lai said.

Microsoft said it believes hackers will quickly figure out a way to exploit this flaw for criminal gain. Andrew Storms, director of security operations for San Francisco-based security firm nCircle, agreed, saying the novelty value of this bug is likely to attract many researchers.

"A lot of people will try to be the first to publicly post exploit code," Storms said.

A pair of patches for Microsoft Word and Excel products fix a total of nine vulnerabilities in PC and Mac versions of Office. Affected versions include Office XP, Office 2003, Office 2004 for Mac and Office 2008 for Mac.

The two other critical patches fix dangerous flaws that may be a bit harder to exploit. A vulnerability in the way that Windows Vista and Windows Server 2008 look for connected devices such as cameras and printers could be used by attackers to install malicious software, but only if the attacker is on the same network as the victim, and then probably only if the targeted system is unprotected by a firewall, Qualys's Richie said.

The other critical vulnerability, a bug in the license logging server, only resides in Windows 2000 Server systems, and also can be much less of a threat if the target is protected by some type of software or hardware-based firewall.

Windows 7 users can rest easy (for now), as none of these vulnerabilities affects Microsoft's flagship operating system.

Updates are available through Automatic Updates or via the Windows Update Web site. As always, please drop a note in the comments section below if you have any problems downloading or installing these patches.

By Brian Krebs  |  November 10, 2009; 5:22 PM ET
Categories:  New Patches , Safety Tips  | Tags: patch tuesday, windows  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Eight indicted in $9M RBS WorldPay heist
Next: A year later: A look back at McColo


MS Windows Update would not allow update to precede unless automatic updates was enabled.

Posted by: MRGB | November 11, 2009 1:13 AM | Report abuse

I recently installed still useful software on a new netbook (Acer 1410). My MS Office XP professional is dated 2002 on the box. Did MS actually come out with MS Office 2003? I know that Word 2003 was available as an upgrade.

Posted by: TeresaBinstock | November 11, 2009 6:56 AM | Report abuse

Does anyone really believe they would release fixes for 7 the first month after release? I don't. They'll be some next month I'll bet.

Posted by: tojo45 | November 11, 2009 9:04 AM | Report abuse

The security update for Excel - Security Update for Microsoft Office Excel 2003 (KB973475) - repeatedly fails to install on my Vista 64-bit Dell workstation. It reports Code 779. The Microsoft Help is useless - it just provides general tips. I am going to try to install it manually from the KB article page to see if that works.

Posted by: pb2009 | November 11, 2009 11:08 AM | Report abuse

For the 10th time, this update failed to install:"Microsoft .NET Framework 1.1 Service Pack 1 Security Update for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (KB953297)". Microsoft's suggested fix doesn't work. Does anyone have an easy solution?

Posted by: vintage51 | November 11, 2009 11:17 AM | Report abuse

Update on the Excel KB973475 install problem post (see my post above, regarding a Vista 64-bit system): I tried installing it directly from the KB article page on This gave a more-informative error message - Error 1913 that Setup cannot update file c:/Windows/SysWOW64/mapisvc.inf. I checked the file's properties. Only the "user" TrustedInstaller can have "full control" of and modify the file. I hesitate to change the permissions to make myself the owner. I seem to recall that doing that once caused other problems. I suppose I'll submit a problem report on about this.

Posted by: pb2009 | November 11, 2009 11:25 AM | Report abuse

PB: In the past I have successfully emailed MS about s/w issues, but I don't have the link handy.

Posted by: Bartolo1 | November 11, 2009 12:53 PM | Report abuse

I downloaded the updates today and have noticed a lengthening it the time it takes for my PC (HP w/Vista 64-bit Home Premium) to boot up and fully load by a full minute...

Posted by: clogwearer | November 12, 2009 12:45 AM | Report abuse

I have had great problems with my computer booting up and also while running after these updates, i eventually had to use system restore to get rid of them. Has anyone else had problems like these? Im running windows vista on a laptop with service 2 and all the other updates installed

Posted by: jeremyharewood | November 12, 2009 1:27 PM | Report abuse

Updated 127 machines (including 16 servers) at work without a problem. Most machines are XP pro (32 bit), Most Servers are Server 2003, and a few 2000.

Posted by: n3ujj | November 12, 2009 3:45 PM | Report abuse

Having a sudden issue with MS Updates page, running Win2000Pro... Updates link freezes IE when clicked - Task Manager reveals IE is not responding and shuts it down. Have tried various ways to get to MS page, including your link, with same freeze-up on all. Never had a problem until this latest round of MS updates - anyone else? One possibility is maybe an early MS cutoff of 2000 - but thought they were going to support 2000 through June 2011?

Posted by: rtd50 | November 16, 2009 1:17 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company