Microsoft releases critical Windows patches
Published: 09 Sep 2009 09:22 BST
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect versions of Windows in different ways, Microsoft said none of the issues applies to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files.
"We've seen similar exploits in the past and all a user would have to do is visit a compromised website hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week.
"Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said.
"We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said on Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys chief technology officer Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions — the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an email.
Credit: Microsoft issues critical Windows patches from CNET News
Did you find this article useful?
3 out of 3 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
