washingtonpost.com  > Technology > Tech Policy > Security

Microsoft Patches Flaw in Service Pack 2

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, January 11, 2005; 5:22 PM

Microsoft Corp. on Tuesday issued a trio of software updates to fix security holes in computers powered by its Windows operating system, including one flaw that hackers are using to infiltrate PCs equipped with a massive security upgrade the company released just five months ago.

The three patches, available at http://windowsupdate.microsoft.com, mend four different software holes. Two of the patches earned a "critical" rating from Microsoft, its most serious. The software giant said attackers could exploit three of the flaws merely by convincing users to visit a malicious Web site or open a specially crafted e-mail.

Vital Files Exposed In GMU Hacking (The Washington Post, Jan 11, 2005)
Microsoft Offers Anti-Spyware Software (The Washington Post, Jan 7, 2005)
Single Government ID Moves Closer to Reality (The Washington Post, Dec 30, 2004)
More Security News

The most severe of the flaws involves a glitch in the way Windows handles requests for "HTML help," a function that uses Microsoft's Internet Explorer Web browser to display instructions for using a variety of computer programs. The help-file flaw is present in nearly all versions of Windows, including computers running Windows XP that also have the Service Pack 2 security upgrade installed.

Service Pack 2 was released to the public in August to fix a number of persistent security problems and two switch on key Windows XP security features, such as automatic downloading and installation of patches and a firewall to block unwanted Internet traffic.

Stephen Toulouse, Microsoft's security program manager, said the company has seen only a handful of attempts to exploit the help-file security flaw.

"Still, any amount of exploitation concerns us, and this update addresses that," he said.

Oliver Friedrichs, senior manager of security response for Cupertino, Calif.-based security firm Symantec Corp., said his company has seen at least three different cases where malicious Web sites have used the help- file weakness to install spyware on vulnerable computers.

Friedrichs cautioned that the other three security flaws remain serious threats, as computer code demonstrating how attackers could wield at least one of them now is publicly available online.

Microsoft also released today a "malicious software removal tool," which scours Windows PCs for some of the more prolific Internet worms, including "Blaster," "Sasser," "Mydoom," "Gaobot" and "Nachi." The tool will be distributed to the more than 112 million Windows users who have opted to accept automatic security updates from Microsoft and will be updated once a month, Toulouse said.

© 2005 TechNews.com