Microsoft Corp. on Tuesday issued a trio of software updates to fix
security holes in computers powered by its Windows operating system,
including one flaw that hackers are using to infiltrate PCs
equipped with a massive security upgrade the company released just five months ago.
The three patches, available at http://windowsupdate.microsoft.com, mend four different software holes. Two of the patches earned a
"critical" rating from Microsoft, its most serious. The software giant
said attackers could exploit three of the flaws merely by convincing
users to visit a malicious Web site or open a specially crafted e-mail.
The most severe of the flaws involves a glitch in the way Windows handles requests for "HTML help," a function that uses Microsoft's Internet Explorer Web browser to display instructions for using a variety of computer programs. The help-file flaw is present in nearly all versions of Windows, including computers running Windows XP that also have the Service Pack 2 security upgrade installed.
Service Pack 2 was released to the public in August to fix a number of persistent security problems and two switch on key Windows XP security features, such as automatic downloading and installation of patches and a firewall to block unwanted Internet traffic.
Stephen Toulouse, Microsoft's security program manager, said the company
has seen only a handful of attempts to exploit the help-file security flaw.
"Still, any amount of exploitation concerns us, and this update
addresses that," he said.
Oliver Friedrichs, senior manager of security response for Cupertino,
Calif.-based security firm Symantec Corp., said his company has seen at
least three different cases where malicious Web sites have used the help-
file weakness to install spyware on vulnerable computers.
Friedrichs cautioned that the other three security flaws remain serious
threats, as computer code demonstrating how attackers could wield at
least one of them now is publicly available online.
Microsoft also released today a "malicious software removal tool," which
scours Windows PCs for some of the more prolific Internet worms,
"Sasser," "Mydoom," "Gaobot" and "Nachi." The tool will be distributed
to the more than 112 million Windows users who have opted to accept
automatic security updates from Microsoft and will be updated once a
month, Toulouse said.