Sign Up: Free Daily Tech E-letter  
Technology Home
Washtech
Tech Policy
   -Copyright
   -Cybercrime
   -E-Taxes
   -FCC
   -ICANN
   -Security
Government IT
Markets
Columnists
Personal Tech
Special Reports
Jobs

Advertisement
Company Postings
Get Quotes
Press Releases
Tech Almanac

Microsoft Releases New Batch of Patches

Advertisement


E-Mail This Article
Print This Article
Permission to Republish
_____On The Web_____
Microsoft's Security Site
July 2004 Windows Security Updates
_____Cyber-Security_____
Web Worm Spreads, Slows Google Searches (washingtonpost.com, Jul 26, 2004)
Report Faults Cyber-Security (The Washington Post, Jul 23, 2004)
Advertiser Charged in Massive Database Theft (The Washington Post, Jul 22, 2004)
More Security News
___Tech Policy/Security E-letter___
Written by washingtonpost.com's tech policy team, the e-mail version of this weekly feature includes an original news article and links to policy and cyber-security stories from the previous week.
Click Here for Free Sign-up
Read E-letter Archive


By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, July 13, 2004; 5:35 PM

Microsoft Corp. today issued two "critical" software updates for its Windows operating system, bringing to 12 the total number of critical software fixes the company has released so far in 2004 and putting the focus once again on the security of Microsoft's widely used Internet Explorer Web browser.

The two patches deal with security holes in the Windows 2000 and Windows XP operating systems. The first involves a flaw in "task scheduler," a program that allows Windows users to run applications at scheduled intervals. The other resides in Microsoft's built-in "HTML Help" function, which offers tips on using Windows programs.

Stephen Toulouse, Microsoft's security program manager, said both vulnerabilities could be exploited via Internet Explorer if hackers can trick computer users into visiting a Web site designed to target the security holes.

If left unpatched, Microsoft said computers running the vulnerable Windows versions could be remotely controlled by hackers. Microsoft rates security flaws as "critical" if they can be easily exploited, such as by an Internet worm that can infect a computer without a user having to click on an infected e-mail attachment or download a file from the Internet.

Microsoft also released five other patches today, including a fix for the software it makes to power Web sites. Rated by the company as "important," the patch fixes a flaw that could allow hackers to seize control over Web sites powered by Microsoft's Internet Information Services (IIS) Web server version 4.

Last month, at least two separate attacks targeted hundreds of Web sites powered by the IIS software. Those attacks leveraged a combination of Internet Explorer and IIS flaws to surreptitiously plant spyware on PCs. The spyware program was designed to steal personal information like passwords and account numbers when an infected computer was used to access one of several online banking sites.

In a departure from its regular schedule of monthly patch releases, Microsoft issued a fix to remedy that problem on July 2. But security experts later demonstrated that the vulnerability could still be targeted using a slightly different method; one of the patches released today seeks to fix the original patch.

Experts say attacks that rely on tricking Internet Explorer users into visiting certain Web sites are particularly dangerous because many security systems protecting corporate Web sites are configured to permit Web browsers to access files and upload information.

"When an attack is coming through the Web browser, at that point it's pretty much already gotten past whatever security or firewalls you have in place," said Marc Maiffret, a security expert at eEye Digital Security in Aliso Viejo, Calif.

Vincent Weafer, senior director of Symantec Security Response, said Web browser exploits are fast becoming a preferred attack method for hackers because they're stealthy and can be targeted to an individual user. Weafer said browser-based attacks are particularly appealing for those interested in conducting Internet fraud scams or planting spyware on PCs.

"Without a doubt, these are the types of attacks that we're going to be seeing a lot more of for some time," Weafer said.

A total of seven patches were released by Microsoft today, along with an automated tool that scans PCs for signs of infections from last month's browser attack. The various patches are for Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98.

All the patches can be accessed through www.microsoft.com/security. Microsoft also encourages Windows users to visit its Windows Update site (windowsupdate.microsoft.com) and allow it to scan their computers for needed software updates.


TechNews.com Home

© 2004 Washingtonpost.Newsweek Interactive

Company Postings: Quick Quotes | Tech Almanac
About TechNews.com | Advertising | Contact TechNews.com | Privacy
My Profile | Rights & Permissions | Subscribe to print edition | Syndication