NEWS Microsoft has announced seven new security updates for Windows, including two that address "critical" vulnerabilities.
Separately, Microsoft has made available a tool to clean systems affected by the Download.Ject exploit. The company had previously released a configuration change designed to help prevent infection, but has yet to release a patch.
Security company Symantec said the new product vulnerabilities include "high risk" threats. "These newly announced vulnerabilities may be exploited remotely, which could allow denial-of-service attacks, and could result in the loss of confidential data," Symantec said in a statement. "Symantec strongly advises users to apply security patches for these vulnerabilities immediately."
The latest flaws add to the many security headaches Microsoft and its customers have been experiencing. Microsoft has committed itself to a stronger focus on security.
Two of the security updates announced rated highest on Microsoft's severity scale. The company defines its "critical" rating as: "A vulnerability whose exploitation could allow the propagation of an internet worm without user action."
The first critical problem involves a vulnerability in the "Task Scheduler" stemming from an unchecked buffer, which is a program in memory that accepts data from external sources. An unchecked buffer is one that does not include commands to ensure that the data is valid.
Microsoft said that if a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs, deleting data or creating new accounts with full privileges. Microsoft added that users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
According to Symantec, in a web-based attack scenario, an attacker would have to host a website that contains a web page used to exploit this vulnerability. An attacker also would have to persuade them to visit the website, typically by getting them to click a link that takes them to the attacker's site.
Microsoft said the second critical update concerns vulnerabilities related to "HTML Help" and "showHelp." If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, the company said.
Microsoft said four other security updates were rated as "important," the second-highest rating given by the company. The last security update was rated "moderate" in severity.
Corporate VP Mike Nash announced the tool for Download.Ject during a speech at the Worldwide Partner Conference in Toronto. The company also said that it has reached its goal -ahead of schedule - to train half a million customers and partners on how best to secure their systems. Microsoft also noted that five times as many people are using Windows' automatic update feature as were signed up 10 months ago.
Nash said that the company has spread its investment in security across many areas.
"If there was a silver bullet, we'd bet on it," said Nash, who heads Microsoft's security business and technology unit.
Since there is not, Nash said, Microsoft is working on several things - making it easier for consumers and companies to keep their software current, improving Microsoft code and developing software that identifies and protects machines that have not been patched.
At the same time, Nash acknowledged that it is still an arms race with those writing malicious code. "There's evolution on both sides," Nash said.
Ed Frauenheim and Ina Fried writes for CNET News.com
Comments
There are 4 comments. Join the discussion
1. Barnendu Goswami
It's taken the 'collective' the best part of a month, to repond to multiple threats rated as 'severe'.
True, the problem was mostly a Microsoft err, but the other layers of protection were pretty useless too. None of the big AV companies did a very good job of detection/removal, once a system was compromised. Even the normally good anti-spyware products were slow to catch up.
I'm an experienced IT Administrator, and I am appalled at how bad things have become. I've lost faith. You can't rely on supplied security solutions anymore. Malware is running circles around the good guys.
The only solution seems to be paranoia, and constant research!
2. Jeremy Chatfield
Visiting another site is easier than you'd think. Search Engine Optimisation companies frequently use a trick that is, if not search engine spamming, very close to it. They screen scrape a real site with the owners permission, rewrite it and present it from a different site name. Web users become inured to clicking on links that have no brand association. The result is that any third party can SE spam and yield browser or man-in-the-middle or redirection attack.
So part of the defense against this is to stop this SEO tactic, and make sure that web brand owners use their web sites, not some SE spam site, to get SE natural ranking. Users will become more aware of the sites that they are being sent to (so long as *that* MSIE vulnerability has been patched - the one where the displayed name isn't the one you go to?)
Sheesh, MS make it as hard as they can to do the right thing, don't they? And they blame users for not keeping up with the blizzard of updates that haven't been cross tested? What pillocks.
3. Stuart Colville
Why no URL??
Ok here it is for anyone else:
http://www.microsoft.com/security/incident/Download_Ject.mspx
4. Dave
microsoft refuses to be secure. If they were, internet explorer would not be part of their operatting system...and on and on and on......Makes me wonder if microsoft is smart enought to handle the job of releasing a secure opperating system in the future....answer...NO... So we have rename Longhorn to stab-horn. The opperating system with poison marrow.