washingtonpost.com  > Technology > Tech Policy > Security

Microsoft Still Patching Software Security Holes

Company Releases 8 'Critical' Updates

By Brian Krebs
Special to The Washington Post
Wednesday, February 9, 2005; Page E05

Microsoft Corp. released a dozen software updates to fix 16 security flaws -- half of which it deemed "critical" -- in all versions of the Windows operating system and in applications such as its Internet chat and media player products.

More than half the patches were intended to address security glitches found in Service Pack 2, the massive software security upgrade Microsoft made available to Windows XP users last August.

Microsoft Issues 8 'Critical' Software Patches (washingtonpost.com, Feb 8, 2005)
For Spammers, Worm Turns a Profit (washingtonpost.com, Feb 7, 2005)
'Sunset Policy' Stymies Loyal Quicken Users (The Washington Post, Feb 6, 2005)
More Security News
_____More About Microsoft_____
Microsoft Acts on Antitrust Ruling (The Washington Post, Jan 25, 2005)
E.U. Orders Microsoft To Modify Windows (The Washington Post, Dec 23, 2004)
Microsoft Settles With Trade Group (The Washington Post, Nov 25, 2004)
Microsoft Takes Lead in Software For Handhelds (The Washington Post, Nov 13, 2004)
Microsoft Placates Two Foes (The Washington Post, Nov 9, 2004)
Report: Microsoft

Security experts said one of the weaknesses in Windows disclosed yesterday could be used to spread a computer virus. The flaw involves the "server message block" service in every version of Windows that allows users to share files on a network. Attackers could potentially exploit the weakness over the Internet if computer users fail to turn on their computer's firewall. Hackers could also exploit the flaw by tricking a user into clicking on a specially crafted Web link in an e-mail.

"Out of all of the vulnerabilities, this one is the most likely to become the next widespread Internet worm," said Oliver Friedrichs, senior director of security response for Symantec Corp., a Cupertino, Calif.-based Internet security company.

Microsoft also issued a bundle of six fixes for vulnerabilities in its widely used Internet Explorer Web browser. One of the flaws was recently exploited by "phishers," criminals who engage in identity theft by creating authentic-looking e-mail messages and Web sites designed to lure people into disclosing personal financial data. Two of the vulnerabilities were used recently by hackers to sneak spyware onto users' computers.

Experts said the batch of patches shows that hackers are increasingly looking for ways to bypass automatic computer network defenses erected by business and home computer users. Half of the vulnerabilities require action by a user -- such as clicking a link in an e-mail or opening a document attachment -- before attackers could gain control of a computer.

"We recommend in any situation where you receive a link or file from someone that you use extreme caution," said Stephen Toulouse, Microsoft's security program manager. He suggested that users check with the sender before opening a link or file that appears suspicious.

Yesterday's release includes critical fixes for a number of Windows software products, including the MSN Messenger Internet chat program, Windows Media Player, and Microsoft Office, the suite of programs that includes Microsoft Word, Excel and PowerPoint.

The security hole in Microsoft's chat software affects MSN Messenger versions 6.1 and 6.2. Users of those versions will be prompted when they open the program to download and install a new version.

Users can download most of the patches at windowsupdate. microsoft.com.

Microsoft has repeatedly urged Windows XP users to turn on the operating system's "automatic update" service, which can fetch and install patches from Microsoft automatically as they are made available. But that service does not retrieve patches for Microsoft Office, so users who have Office installed must visit the Office Update Web site, office.microsoft.com, and then click on the "check for updates" link in the upper right corner of the page.

This month's group of patches brings to 10 the total number of critical vulnerabilities Microsoft has identified in 2005. Last year, Microsoft released a total of 25 "critical" security fixes.

Krebs is a staff writer for washingtonpost.com.

© 2005 The Washington Post Company