washingtonpost.com  > Technology > Tech Policy > Security

Quick Quotes

Correction to This Article
An earlier version of this article incorrectly stated that Microsoft's "license logging service" is enabled automatically on all Windows 2000, Windows NT and Server 2003 computers. It is only enabled on certain versions of those software packages. The article below has been corrected.

Microsoft Issues 8 'Critical' Software Patches

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, February 8, 2005; 5:52 PM

Microsoft Corp. today released a dozen software patches to cover 16 security flaws -- half of which it deemed "critical" -- in all versions of the Windows operating system and a broad range of popular Microsoft applications such as its Internet chat and media player products.

The Redmond, Wash.-based software giant issued patches to mend a total of 16 security flaws, with more than half addressing security glitches found in Service Pack 2, the massive software security upgrade Microsoft made available to Windows XP users last August.

_____Cyber-Security_____
Microsoft Still Patching Software Security Holes (The Washington Post, Feb 9, 2005)
For Spammers, Worm Turns a Profit (washingtonpost.com, Feb 7, 2005)
'Sunset Policy' Stymies Loyal Quicken Users (The Washington Post, Feb 6, 2005)
More Security News

Security experts said a weakness in Windows disclosed today could become a vehicle for the next big Internet virus outbreak. The flaw involves the "server message block" service enabled by default in every version of Microsoft Windows that allows users to share files on a network. Attackers could potentially exploit the weakness over the Internet without any action by the user, but only if a computer was not already protected by firewall software. Hackers could also exploit it by tricking a user into clicking on a specially crafted Web link in an e-mail.

"Out of all of the vulnerabilities, this one is the most likely to become the next widespread Internet worm," said Oliver Friedrichs, senior director of security response for Symantec Corp., a Cupertino, Calif.-based Internet security company.

Microsoft also issued a bundle of six fixes for vulnerabilities in its widely used Internet Explorer Web browser. One of the flaws was recently exploited by "phishers," criminals who engage in identity theft by creating authentic-looking e-mail messages and Web sites designed to lure people to disclosing personal financial data. Two of the vulnerabilities were used recently by hackers to sneak spyware onto users' computers.

Experts said today's batch of patches shows that hackers are increasingly looking for ways to bypass automatic computer network defenses erected by growing numbers of business and home computer users. Half of the vulnerabilities detailed today require action by a user -- such as clicking a link in an e-mail or attached word-processing document -- before attackers could gain control of a computer.

"We recommend that in any situation where you receive a link or file from someone that you use extreme caution," said Stephen Toulouse, Microsoft's security program manager. He suggested users check with the sender before opening a link or file that appears suspicious.

Today's patch release included critical fixes for a number of Windows software products, including the MSN Messenger Internet chat program, Windows Media Player, and Microsoft Office, the suite of programs that includes Microsoft Word, Excel and PowerPoint.

One critical software patch specific to corporate Windows users fixes a vulnerability in Microsoft's "license logging service," which helps companies keep track of of their licensed installations of Windows. The problem affects certain versions of Windows 2000 server, Windows NT 4.0 Server, and Server 2003 computers, and could allow hackers to infiltrate a corporate network, said Abe Mounce, director of research for Atlanta-based Internet Security Systems Inc.

The security hole in Microsoft's chat software affects MSN Messenger versions 6.1 and 6.2. Users of those versions will be prompted when they next open the program to download and install a new version of the program.

Users can download most of the patches at windowsupdate.microsoft.com.

Microsoft has repeatedly urged Windows XP users to turn on the program's "automatic update" service, which can fetch and install patches from Microsoft automatically after they are made available. But that service does not retrieve patches for Microsoft Office, so users who have Office installed must visit the Office Update Web site, office.microsoft.com, and then click on the "check for updates" link in the upper right-hand corner of the page.

This month's batch of patches brings the total number of critical vulnerabilities Microsoft has identified in 2005 to 10. Last year, Microsoft released a total of 25 "critical" security fixes.

The patches were released on the same day that Microsoft announced that it is buying Sybari Software Inc., an East Northport, N.Y.-based company specializing in e-mail security for corporate clients. Terms of the deal were not disclosed. The Associated Press reported that the acquisition -- and word that Microsoft is gearing up to release its first set of commercial antivirus products -- could help the software giant take business away from leading Internet security companies like Symantec and Santa Clara, Calif.-based McAfee Inc.

Over the past two years, Microsoft has made several acquisitions aimed at bolstering its security offerings. The company bought a Romanian Internet security firm in 2003. In December, it bought Giant Company Software Inc., which makes tools to remove spyware.


© 2005 TechNews.com