NOTE: It must have been a busy day at Bill Gates' shop Tuesday.
By Brian Krebs, washingtonpost.com Staff Writer
Microsoft Corp. today released a dozen software patches to cover 16
security flaws -- half of which it deemed "critical" -- in all
versions of the Windows operating system and a broad range of popular
Microsoft applications such as its Internet chat and media player
products.
The Redmond, Wash.-based software giant issued patches to mend a total
of 16 security flaws, with more than half addressing security glitches
found in Service Pack 2, the massive software security upgrade
Microsoft made available to Windows XP users last August.
Security experts said a weakness in Windows disclosed today could
become a vehicle for the next big Internet virus outbreak. The flaw
involves the "server message block" service enabled by default in
every version of Microsoft Windows that allows users to share files on
a network. Attackers could potentially exploit the weakness over the
Internet without any action by the user, but only if a computer was
not already protected by firewall software. Hackers could also exploit
it by tricking a user into clicking on a specially crafted Web link in
an e-mail.
"Out of all of the vulnerabilities, this one is the most likely to
become the next widespread Internet worm," said Oliver Friedrichs,
senior director of security response for Symantec Corp., a Cupertino,
Calif.-based Internet security company.
Microsoft also issued a bundle of six fixes for vulnerabilities in its
widely used Internet Explorer Web browser. One of the flaws was
recently exploited by "phishers," criminals who engage in identity
theft by creating authentic-looking e-mail messages and Web sites
designed to lure people to disclosing personal financial data. Two of
the vulnerabilities were used recently by hackers to sneak spyware
onto users' computers.
Experts said today's batch of patches shows that hackers are
increasingly looking for ways to bypass automatic computer network
defenses erected by growing numbers of business and home computer
users. Half of the vulnerabilities detailed today require action by a
user -- such as clicking a link in an e-mail or attached
word-processing document -- before attackers could gain control of a
computer.
"We recommend that in any situation where you receive a link or file
from someone that you use extreme caution," said Stephen Toulouse,
Microsoft's security program manager.
He suggested users check with the sender before opening a link or file
that appears suspicious.
Today's patch release included critical fixes for a number of Windows
software products, including the MSN Messenger Internet chat program,
Windows Media Player, and Microsoft Office, the suite of programs that
includes Microsoft Word, Excel and PowerPoint.
One critical software patch specific to corporate Windows users fixes
a vulnerability in Microsoft's "license logging service," which helps
companies keep track of of their licensed installations of Windows.
The service is enabled automatically all Windows 2000 Windows NT, and
Server 2003 computers, and could allow hackers to infiltrate a
corporate network, said Abe Mounce, director of research for
Atlanta-based Internet Security Systems Inc.
The security hole in Microsoft's chat software affects MSN Messenger
versions 6.1 and 6.2. Users of those versions will be prompted when
they next open the program to download and install a new version of
the program.
Users can download most of the patches at windowsupdate.microsoft.com
Microsoft has repeatedly urged Windows XP users to turn on the
program's "automatic update" service, which can fetch and install
patches from Microsoft automatically after they are made
available. But that service does not retrieve patches for Microsoft
Office, so users who have Office installed must visit the Office
Update Web site, and then click on the "check for updates" link in the
upper right-hand corner of the page.
This month's batch of patches brings the total number of critical
vulnerabilities Microsoft has identified in 2005 to 10. Last year,
Microsoft released a total of 25 "critical" security fixes.
The patches were released on the same day that Microsoft announced
that it is buying Sybari Software Inc., an East Northport, N.Y.-based
company specializing in e-mail security for corporate clients. Terms
of the deal were not disclosed. The Associated Press reported that the
acquisition -- and word that Microsoft is gearing up to release its
first set of commercial antivirus products -- could help the software
giant take business away from leading Internet security companies like
Symantec and Santa Clara, Calif.-based McAfee Inc.
Over the past two years, Microsoft has made several acquisitions aimed
at bolstering its security offerings. The company bought a Romanian
Internet security firm in 2003. In December, it bought Giant Company
Software Inc., which makes tools to remove spyware.
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . New articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner. in this instance, Washington Post Company.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml