Microsoft Corp. yesterday released three software updates to fix security holes in its Windows operating system, including one that can affect machines equipped with a massive security upgrade the company released five months ago.
The three patches, available at windowsupdate.microsoft.com, mend four software holes. Two of the patches earned a "critical" rating from Microsoft, its most serious. The software giant said attackers could exploit three of the flaws merely by persuading users to open a specially crafted e-mail or to visit a Web site that distributes malicious code.
The most severe of the flaws involves a glitch in the way Windows handles requests for "HTML help," a function that uses Microsoft's Internet Explorer Web browser to display instructions for using a variety of computer programs. The help-file flaw is present in nearly all versions of Windows, including computers running Windows XP that also have the Service Pack 2 security upgrade installed.
Service Pack 2 was released to the public in August to fix a number of persistent security problems. In addition to mending several flaws, the upgrade switched on key Windows XP security features, such as a firewall to block unwanted Internet traffic and automatic installation of patches.
Stephen Toulouse, Microsoft's security program manager, said the company has seen only a handful of attempts to exploit the help-file security flaw.
"Still, any amount of exploitation concerns us, and this update addresses that," he said.
Oliver Friedrichs, senior manager of security response for the Cupertino, Calif.-based security firm Symantec Corp., said his company has seen at least three cases in which infected Web sites have been used to take advantage of the help-file flaw to install spyware on vulnerable computers.
Friedrichs cautioned that the other three security flaws remain serious threats, as computer code demonstrating how attackers could exploit at least one of them now is publicly available online.
Microsoft also released the "malicious software removal tool," which scours Windows PCs for some of the more prolific Internet worms, including Blaster, Sasser, MyDoom, Gaobot and Nachi. The tool will be distributed to the more than 112 million Windows users who have opted to accept automatic security updates from Microsoft and will be updated once a month, Toulouse said. It also may be downloaded manually from Microsoft.
Brian Krebs is a staff writer for washingtonpost.com.