Microsoft today released software updates to plug at least 11 security holes in PCs powered by its Windows operating systems and other software. Windows users can download the fixes either directly through the Microsoft Update Web site or via Automatic Updates.
December’s seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw “critical” if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message.
The IE patch is probably the most important update Redmond issued this month, as the vulnerabilities it corrects have the potential to affect the largest number of people. Microsoft said that criminals already exploited one of the IE flaws to remotely compromise IE users.
Microsoft also issued critical updates to fix at least two different problems with the way Windows handles the processing and display of various video and audio files. The first of those is a serious vulnerability in the “Windows media file format” — chiefly, files that end in “.asf” and “.wmv” — used principally by the Windows Media Player software bundled with the operating system. Another patch addresses a critical flaw in most versions of “DirectX,” a Windows component that handles the display of a variety of video file formats (files that end in “.wav” and “.avi” for example). Again, these are especially dangerous flaws because they can be exploited merely by getting users to view maliciously crafted video files via a Web browser or e-mail.
Of the seven patch bundles released today, only two did not affect Windows Vista systems, suggesting that the vulnerable components were carried over into Vista from older versions of the OS despite the multi-year secure coding review conducted for Vista. That said, two of the bundles were released to plug security holes that were found exclusively in Vista.
Ben Greenbaum, senior security researcher for Symantec Security Response, said while the Vista flaws were concerning, the IE and Windows media format holes are potentially more serious.
“The sheer number of vulnerabilities this month that affect Windows Vista is a concern,” Greenbaum said. “The more alarming vulnerabilities are those in Windows Media Format Runtime and Internet Explorer since a successful exploit could occur when a user visits a malicious Web page or when viewing a malicious email. Neither issue requires any further interaction by the victim to exploit, compounding the problem.”
There’s a Black Tuesday on the RiseNew QuickTime Version Plugs 7 Security HolesApple Patches Java, OS X and Safari 3 FlawsApple Plugs 44 Security HolesPatch Tuesday Preview, And a Windows Warning