Microsoft Fixes Record 26 Security Holes. Microsoft today issued a record-breaking number of security updates, fixing at least 26 separate security holes in its Windows operating system and other products, including 16 vulnerabilities in Microsoft Office and Office components.
By my count, this is the largest number of flaws Microsoft has fixed in one go outside of a Service Pack. Among the problems addressed in the ten patch bundles released as part of its monthly patch cycle are four flaws in Office, as well as four security holes each in different versions of Microsoft Word, Excel and PowerPoint (one of the Word flaws is only present in the version made for Apple Macintosh systems).
The biggest problem with these Office flaws -- aside from the fact that at least one of them is actively being exploited in targeted attacks against users -- is that almost without exception they are most serious (or "critical") in the 2000 versions of each software title.
That's a big deal because plenty of people (including the author) still use these older versions, and while users can get patches for recent versions of Office, Word, Excel and PowerPoint from the standard Microsoft patch sites -- such as Windows Update, Microsoft Update and via Automatic Updates -- people running Microsoft Office 2000, or standalone Word, Excel and PowerPoint versions cannot get updates for those products through the same means. Instead, they must add a second stage to their patching by heading over to the Office homepage and letting Office Update scan their machines.
Aside from the huge number of Office bugs, six of today's updates apply to fully patched Windows XP systems. Two of the updates also apply to "Vista," as the next version of Windows will be called, though Microsoft was not specific about where those flaws resided in Vista.
If I had to guess which flaws detailed today exist in Vista, I'd point to vulnerabilities Microsoft fixed in ".NET" -- a Microsoft programming language -- and its process for handling XML files (short for eXtensible Markup Language, XML is used to share data across the Web and over a variety of applications an operating systems).
The .NET flaw doesn't appear to be that big of a deal, but the XML bug is potentially very serious for all Windows operating systems. Microsoft said attackers could exploit this vulnerability to compromise Windows machines just by convincing users to visit a malicious Web site. This flaw could become widely exploited in the near future, as the bad guys begin reverse-engineering Microsoft's patches to zero in on the vulnerable code and create exploits to attack unpatched systems.
Microsoft also patched a flaw in Windows Explorer that criminals have been exploiting to compromise Windows computers over the past few weeks.
If you're a Windows users and don't receive patches via Automatic Update, fire up Internet Explorer and head on over to Microsoft Update and apply these updates. If you're using Windows 2000 or any of the individual Office 2000 components, visit to Office Update as well. [Security Fix]
10:17:16 PM  PermaLink /
|
