Failing to run the patch could prove dangerous for computer users. Earlier this week, hackers exploited the security hole in several online attacks, and some security experts expect that computer virus writers soon will use the flaw to launch an outbreak. Microsoft rated the flaw as "critical" -- its most severe rating -– meaning that hackers could use it to hijack vulnerable computers. Hackers often use commandeered PCs to relay spam e-mails and to wage online attacks against other computers or Web sites.
So far, no serious threat has emerged. On Sept. 24, technicians at Internet service provider Easynews spotted at least two photos in an adult online newsgroup that contained tools to take advantage of the flaw, but the virus was not considered a high threat because it could not spread from one PC to the next.
| | | | ___Tech Policy/Security E-letter___ Written by washingtonpost.com's tech policy team, the e-mail version of this weekly feature includes an original news article and links to policy and cyber-security stories from the previous week.
• Click Here for Free Sign-up
• Read E-letter Archive
| | | | | | |
|
Stephen Toulouse, program manager at Microsoft's security response team, said the company plans to release more tools to make applying the new patch less confusing for customers. He declined to offer details on specific steps the company will take.
"We recognized from the beginning the complexity of this particular update, and we've gotten a lot of feedback from customers that there is more we can do in this area," Toulouse said.
Microsoft estimates that "tens of millions" of copies of the patch have been downloaded, a typical number of downloads in such a case.
Toulouse said the software giant plans to roll out a one-stop Microsoft Update site sometime next year that provides automatic updates for all of the company's products from a single source.
Critics of the update system also said that Microsoft users who navigate through the Office Update requirements still may not be completely protected because dozens of non-Microsoft products incorporate Microsoft's vulnerable image-processing engine, but Microsoft's scanning tool does not identify those programs as vulnerable.
"When people have reason to believe they did the security updates correctly when in fact they didn't, that goes back to Microsoft not doing a good enough job of walking users through this," said Tom Liston, a security volunteer at the SANS Internet Storm Center. Liston said he was so dissatisfied with Microsoft's scanning tool that he created and released a free software program to help scour PCs for non-Microsoft products that might also need patching.
"Microsoft has left a lot of users hanging this time and there's a good possibility they're soon going to end up looking silly because of it," Liston said.
