Microsoft plugs 15 holes in Windows, Office
|
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
Tuesday, November 10, 2009; 10:11 PM
Microsoft on Tuesday released software updates to fix at least 15 security flaws in Windows, Windows Server and Microsoft Office. One of the patches addresses a flaw so serious that users could find their Windows PCs compromised just by visiting booby-trapped Web sites. Richie Lai, director of vulnerability research for patch management firm Qualys, said the most dangerous vulnerability addressed in this month's updates is a flaw in the way Windows handles so-called "embedded font" files. An attacker could stitch specially made embedded fonts into a Web page and use this flaw to install malicious software when people merely browse the site with Internet Explorer on Windows 2000, Windows XP or Windows Server 2003 systems, Lai said. Microsoft said it believes hackers will quickly figure out a way to exploit this flaw for criminal gain. Andrew Storms, director of security operations for San Francisco-based security firm nCircle, agreed, saying the novelty value of this bug is likely to attract many researchers. "A lot of people will try to be the first to publicly post exploit code," Storms said. A pair of patches for Microsoft Word and Excel products fix a total of nine vulnerabilities in PC and Mac versions of Office. Affected versions include Office XP, Office 2003, Office 2004 for Mac and Office 2008 for Mac. The two other critical patches fix dangerous flaws that may be a bit harder to exploit. A vulnerability in the way that Windows Vista and Windows Server 2008 look for connected devices such as cameras and printers could be used by attackers to install malicious software, but only if the attacker is on the same network as the victim, and then probably only if the targeted system is unprotected by a firewall, Qualys's Richie said. The other critical vulnerability, a bug in the license logging server, only resides in Windows 2000 Server systems, and also can be much less of a threat if the target is protected by some type of software or hardware-based firewall. Windows 7 users can rest easy (for now), as none of these vulnerabilities affects Microsoft's flagship operating system. Updates are available through Automatic Updates or via the Windows Update Web site. As always, please drop a note in the comments section below if you have any problems downloading or installing these patches.
