Plus: help for a new email threat.
The surge in critical updates that Microsoft issues shows no sign of weakening. The company recently shipped 12 bug patches, nine of them critical, affecting everything from Windows to IE (Internet Explorer) to Office applications. Unfortunately, things haven’t gone smoothly.
In keeping with what is now a familiar pattern, hackers launched a zero-day attack on a hole one of the fixes addressed, before the patch could be released. This exploit was designed to target the Windows Server service, which handles file- and printer-sharing in Windows 2000 SP4 to Windows Server 2003, as well as in Windows XP SP1 and SP2.
Because the Server service typically runs on PCs that are waiting for connections, clever crackers figured out how to send bogus commands over the internet to infect vulnerable systems. The attack uses a buffer-overflow strategy and can take over your PC without your having to surf the web, read email or click anything. It proved scary enough to spur the US Department of Homeland Security to release an alert of its own, asking computer users to install the relevant patch as quickly as possible – something the US government has never done before.
Fortunately, you can lessen your risk by activating a firewall which blocks unknown incoming internet connections. Windows XP SP2 has its firewall activated by default, as do most broadband routers. This is still a dangerous hole, though, so be sure to obtain and install this patch via Automatic Updates.
Alternatively, you can get it here.
A broken IE fix
Shortly after releasing a cumulative update for IE6 SP1 that patched six critical holes, Microsoft discovered a problem. The patch introduced a bug that crashed IE under some circumstances. These included running CRM (customer relationship management) applications, such as Siebel and PeopleSoft.
At about the same time, eEye Digital Security, a security research firm, discovered that an attacker could take advantage of the crashes to commandeer a PC running Windows 2000 SP4 or XP SP1. Two weeks later, Microsoft released an updated patch. Pick up the fix, which includes the cumulative updates of the previous patch, via Automatic Updates or from Microsoft’s website.
This latest batch of critical Microsoft patches corrects a number of additional security holes in Windows dialup connections, Outlook Express HTML email and more. And there are two more patches for Office included. To get the complete rundown, go to the link above.
When Microsoft releases IE7 for Windows XP, the company will mark the browser as a high-priority update via Automatic Updates because of security features such as better ActiveX handling.
But, according to Microsoft, you can decide whether to install it when prompted to do so by an initial welcome screen. More details here.