Microsoft Still Patching Software Security Holes
Microsoft Corp. released a dozen software updates to fix 16 security flaws — half of which it deemed «critical» — in all versions of the Windows operating system and in applications such as its Internet chat and media player products.
More than half the patches were intended to address security glitches found
in Service Pack 2, the massive software security upgrade Microsoft made
available to Windows XP (news
— web
sites) users last August.
Security experts said one of the weaknesses in Windows disclosed yesterday
could be used to spread a computer virus. The flaw involves the «server message
block» service in every version of Windows that allows users to share files on a
network. Attackers could potentially exploit the weakness over the Internet if
computer users fail to turn on their computer’s firewall. Hackers could also
exploit the flaw by tricking a user into clicking on a specially crafted Web
link in an e-mail.
«Out of all of the vulnerabilities, this one is the most likely to become the
next widespread Internet worm,» said Oliver Friedrichs, senior director of
security response for Symantec Corp., a Cupertino, Calif.-based Internet
security company.
Microsoft also issued a bundle of six fixes for vulnerabilities in its widely
used Internet Explorer Web browser. One of the flaws was recently exploited by
«phishers,» criminals who engage in identity theft by creating authentic-looking
e-mail messages and Web sites designed to lure people into disclosing personal
financial data. Two of the vulnerabilities were used recently by hackers to
sneak spyware onto users’ computers.
Experts said the batch of patches shows that hackers are increasingly looking
for ways to bypass automatic computer network defenses erected by business and
home computer users. Half of the vulnerabilities require action by a user —
such as clicking a link in an e-mail or opening a document attachment — before
attackers could gain control of a computer.
«We recommend in any situation where you receive a link or file from someone
that you use extreme caution,» said Stephen Toulouse, Microsoft’s security
program manager. He suggested that users check with the sender before opening a
link or file that appears suspicious.
Yesterday’s release includes critical fixes for a number of Windows software
products, including the MSN Messenger Internet chat program, Windows Media
Player, and Microsoft Office, the suite of programs that includes Microsoft
Word, Excel and PowerPoint.
The security hole in Microsoft’s chat software affects MSN Messenger versions
6.1 and 6.2. Users of those versions will be prompted when they open the program
to download and install a new version.
Users can download most of the patches at windowsupdate.
microsoft.com.
Microsoft has repeatedly urged Windows XP users to turn on the operating
system’s «automatic update» service, which can fetch and install patches from
Microsoft automatically as they are made available. But that service does not
retrieve patches for Microsoft Office, so users who have Office installed must
visit the Office Update Web site, office.microsoft.com,
and then click on the «check for updates» link in the upper right corner of the
page.
This month’s group of patches brings to 10 the total number of critical
vulnerabilities Microsoft has identified in 2005. Last year, Microsoft released
a total of 25 «critical» security fixes.
By Brian Krebs, Special
to The Washington Post
Нет загрузок
