Microsoft recently released seven security patches covering a wide array of the company's products. Two of those patches fix holes that Microsoft deemed "critical" and warned could allow remote attackers to take control of vulnerable Windows systems.
The software updates include fixes for some previously unknown holes in Windows, including critical vulnerabilities in the Windows Task Manager and HTML help features. There are also patches for recent, publicly disclosed vulnerabilities in obscure parts of the operating system that could leave a system open to Internet work attacks.
If you haven't done so recently, run Windows Update on your machine to download and install the patches.
In late July, Microsoft also announced its first Service Pack for Office System 2003, which features fresh capabilities for its OneNote and InfoPath applications, along with improvements to overall speed and performance and a collection of previously announced security fixes.
Critical Fixes
The seven updates, dubbed MS04-018 through MS04-024, were released in accordance with the company's monthly patching schedule. Although they're all worth your attention, the two critical patches are must-haves for regular users.
MS04-022 fixes a hole in Windows Task Scheduler, a Windows component that lets users schedule commands, programs, or computer scripts to run at a specific time. It turns out that a buffer overrun vulnerability in the Task Scheduler could allow a malicious hacker to place and run attack code on the vulnerable system.
In buffer overrun attacks, evil-minded hackers purposely fill up a software buffer, which is a temporary place to store data, causing additional data, including malicious code written by the attacker, to spill over into other parts of the system's memory. Buffer overrun attacks can be used to shut down vulnerable systems, corrupt data, alter the way applications run, or give attackers control over the systems.
Attackers could embed attacks on the Task Scheduler in a file on a Web page, then trick Windows users into visiting that page. Alternatively, a Task Scheduler file, called a JOB file, could be tailored to trigger the buffer overrun.
MS04-023 fixes two more newly discovered critical holes in the Windows HTML help feature. One hole entails an error in the way that Windows processes a certain type of help file. If left unfixed, the flaw could allow a remote attacker to use specially crafted URLs to run attack code on the vulnerable Windows system. Attackers would have to trick users into clicking on a malicious link, using a specially designed Web page, or a link embedded in an HTML format e-mail message.
MS04-023 also patches a second flaw in the way Windows checks data in its help files. That vulnerability could allow an anonymous user to set up a Web site containing code designed to trigger the vulnerability. Attackers could also embed attack code in an HTML-formatted e-mail message.
Important Patches
In addition to the two critical fixes, Microsoft patched four holes rated "important," which means hackers exploiting those holes could compromise your data but not necessarily launch an Internet worm against you. One of the patches is related to a widespread Web attack in late June in which hackers modified the configuration of Web servers running Microsoft Internet Information Server, allowing malicious code to be appended to every HTML document transmitted by the Web servers.
Other patches deemed important are aimed at companies and servers, rather than individuals and their PCs. As a result, Windows Update will know you don't need them when it scans your system.
Keep in mind, however, that these are just the latest in Microsoft's long line of software updates. When you scan your system for necessary fixes, you may find you need more downloads than you think.
Paul Roberts writes for IDG News Service.
Ad Choices