The surge in critical updates that Microsoft has been issuing shows no sign of weakening. The company just shipped 12 bug patches - nine of them critical - affecting everything from Windows to Internet Explorer to Office apps. And unfortunately, things have not gone smoothly.
In keeping with what is now a regrettably familiar pattern, hackers launched a zero-day attack on a hole that one of the fixes addressed, before the patch could be released. This exploit was designed to target the Windows "Server service", which handles file and printer sharing in Windows 2000 Service Pack 4 through Windows Server 2003 as well as in Windows XP SP1 and SP2.
Because the Server service typically runs on PCs that are waiting for connections, clever crackers figured out how to send bogus commands over the Internet to infect vulnerable machines. The attack uses a buffer overflow strategy and can take over your PC without your having to surf the Web, read e-mail, or click anything. It proved scary enough to spur the US Department of Homeland Security to release an alert of its own asking everyone to install the relevant patch as quickly as possible - something it has never done before.
Fortunately, you can lessen your risk by activating a firewall, which blocks unknown incoming Internet connections. Windows XP SP2 has its firewall on by default, as do most broadband routers. This is still a dangerous hole, though, so be sure to obtain and install this patch through Automatic Updates. Alternatively, you can get it - along with additional information - from www.microsoft.com/technet/security/bulletin/ms06-040.mspx.
A broken IE fix
Shortly after releasing a cumulative update for Internet Explorer 6.0 SP1 that patched six critical holes, Microsoft discovered a problem. The new patch introduced a bug that crashed IE under certain circumstances - such as when running CRM (customer relationship management) applications like PeopleSoft and Siebel. At about the same time, eEye Digital Security, a security research firm, discovered that an attacker could take advantage of the crashes to commandeer a computer running Windows 2000 SP4 or XP SP1 (though not SP2). Two weeks later, Redmond released an updated patch.
Grab the fixed fix, which includes the cumulative updates of the previous patch, over Automatic Updates or by visiting www.microsoft.com/technet/security/bulletin/ms06-042.mspx.
This latest batch of critical Microsoft patches corrects a number of additional security holes in Windows dial-up connections, Outlook Express HTML e-mail, and more. Also included are two more patches for Microsoft Office. To get the complete rundown, see www.microsoft.com/technet/security/bulletin/ms06-aug.mspx.
When Microsoft releases Internet Explorer 7 for Windows XP this quarter, the company will mark the new browser as a "high-priority" update using Automatic Updates because of new security features such as better ActiveX handling. But according to the company, you can decide whether to install it when prompted to do so by an initial welcome screen. For more details, go to http://blogs.msdn.com/ie/archive/2006/07/26/678149.aspx.
Word 2000 Flaw
Hackers recently sent out poisoned e-mail attachments to hit a critical Word 2000 security hole before a patch was available. As usual, you should be extremely suspicious of unsolicited attachments. Microsoft will distribute the patch, once it's ready, via Automatic Updates. For more information and for a link to a free workaround that involves using Word Viewer 2003, browse to www.microsoft.com/technet/security/advisory/925059.mspx.
Spysweeper update draws complaints
Although many online reviews rate it highly, some users of Webroot's Spysweeper 5.0 complain that the new version slows down their PC. Webroot's Support Q&A says that such problems may be due to 5.0's need for more RAM. To improve performance, the company recommends installing version 5.0.7, build 1608, and turning off the Keylogger Shield. Get the update and more info at http://support.webroot.com/ics/support/default.asp?deptID=776&Banner=en-us. As a worst-case solution, Webroot recommends rolling back to version 4.5.