http://www.washingtonpost.com/wp-dyn/articles/A47383-2004Jul13.html By Brian Krebs washingtonpost.com Staff Writer July 13, 2004 Microsoft Corp. today issued two "critical" software updates for its Windows operating system, bringing to 12 the total number of critical software fixes the company has released so far in 2004 and putting the focus once again on the security of Microsoft's widely used Internet Explorer Web browser. The two patches deal with security holes in the Windows 2000 and Windows XP operating systems. The first involves a flaw in "task scheduler," a program that allows Windows users to run applications at scheduled intervals. The other resides in Microsoft's built-in "HTML Help" function, which offers tips on using Windows programs. Stephen Toulouse, Microsoft's security program manager, said both vulnerabilities could be exploited via Internet Explorer if hackers can trick computer users into visiting a Web site designed to target the security holes. If left unpatched, Microsoft said computers running the vulnerable Windows versions could be remotely controlled by hackers. Microsoft rates security flaws as "critical" if they can be easily exploited, such as by an Internet worm that can infect a computer without a user having to click on an infected e-mail attachment or download a file from the Internet. Microsoft also released five other patches today, including a fix for the software it makes to power Web sites. Rated by the company as "important," the patch fixes a flaw that could allow hackers to seize control over Web sites powered by Microsoft's Internet Information Services (IIS) Web server version 4. Last month, at least two separate attacks targeted hundreds of Web sites powered by the IIS software. Those attacks leveraged a combination of Internet Explorer and IIS flaws to surreptitiously plant spyware on PCs. The spyware program was designed to steal personal information like passwords and account numbers when an infected computer was used to access one of several online banking sites. In a departure from its regular schedule of monthly patch releases, Microsoft issued a fix to remedy that problem on July 2. But security experts later demonstrated that the vulnerability could still be targeted using a slightly different method; one of the patches released today seeks to fix the original patch. Experts say attacks that rely on tricking Internet Explorer users into visiting certain Web sites are particularly dangerous because many security systems protecting corporate Web sites are configured to permit Web browsers to access files and upload information. "When an attack is coming through the Web browser, at that point it's pretty much already gotten past whatever security or firewalls you have in place," said Marc Maiffret, a security expert at eEye Digital Security in Aliso Viejo, Calif. Vincent Weafer, senior director of Symantec Security Response, said Web browser exploits are fast becoming a preferred attack method for hackers because they're stealthy and can be targeted to an individual user. Weafer said browser-based attacks are particularly appealing for those interested in conducting Internet fraud scams or planting spyware on PCs. "Without a doubt, these are the types of attacks that we're going to be seeing a lot more of for some time," Weafer said. A total of seven patches were released by Microsoft today, along with an automated tool that scans PCs for signs of infections from last month's browser attack. The various patches are for Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98. All the patches can be accessed through www.microsoft.com/security. Microsoft also encourages Windows users to visit its Windows Update site (windowsupdate.microsoft.com) and allow it to scan their computers for needed software updates. _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html
This archive was generated by hypermail 2.1.3 : Wed Jul 14 2004 - 01:14:19 PDT