Microsoft finds more 'critical' flaws in Windows

Latest patch batch meant to fix vulnerabilities to denial-of-service attacks, a security firm says.

Ed Frauenheim
Ed Frauenheim Former Staff Writer, News
Ed Frauenheim covers employment trends, specializing in outsourcing, training and pay issues.
3 min read
Microsoft on Tuesday announced seven new security updates for Windows, including two that address "critical" vulnerabilities.

Separately, Microsoft has made available a tool to clean systems affected by the Download.Ject exploit. The company had previously released a configuration change designed to help prevent infection, but has yet to release a patch.

Security company Symantec said the new product vulnerabilities include "high risk" threats. "These newly announced vulnerabilities may be exploited remotely, which could allow denial-of-service attacks, and could result in the loss of confidential data," Symantec said in a statement. "Symantec strongly advises users to apply security patches for these vulnerabilities immediately."

The latest flaws add to the many security headaches Microsoft and its customers have been experiencing. Microsoft has committed itself to a stronger focus on security.

Two of the security updates announced Tuesday rated highest on Microsoft's severity scale. The company defines its "critical" rating as: "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action."

The first critical problem involves a vulnerability in the "Task Scheduler" stemming from an unchecked buffer, which is a program in memory that accepts data from external sources. An unchecked buffer is one that does not include commands to ensure that the data is valid.

Microsoft said that if a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs, deleting data or creating new accounts with full privileges. Microsoft added that users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

According to Symantec, in a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page used to exploit this vulnerability. An attacker also would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

Microsoft said the second critical update concerns vulnerabilities related to "HTML Help" and "showHelp." If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, the company said.

Microsoft said four other security updates were rated as "important," the second-highest rating given by the company. The last security update was rated "moderate" in severity.

Corporate VP Mike Nash announced the tool for Download.Ject during a speech at the Worldwide Partner Conference in Toronto. The company also said that it has reached its goal--ahead of schedule--to train half a million customers and partners on how best to secure their systems. Microsoft also noted that five times as many people are using Windows' automatic update feature as were signed up 10 months ago.

In an interview in Toronto, Nash said that the company has spread its investment in security across many areas.

"If there was a silver bullet, we'd bet on it," said Nash, who heads Microsoft's security business and technology unit.

Since there is not, Nash said, Microsoft is working on several things--making it easier for consumers and companies to keep their software current, improving Microsoft code and developing software that identifies and protects machines that have not been patched.

At the same time, Nash acknowledged that it is still an arms race with those writing malicious code. "There's evolution on both sides," Nash said.