Quantcast
PCWorld.com is upgrading some back-end systems. Some site features, such as user registration, may be temporarily unavailable.
Subscribe to magazine

Details on Today's Microsoft Patches

Monthly security updates include IE, Windows Media, and Visual Studio fixes.

Robert McMillan, IDG News Service

  • 0 Yes
  • 0 No

Microsoft today rolled out its monthly security updates for December, patching critical flaws in Internet Explorer, Windows Media Format, and the Visual Studio 2005 development software.

The seven security patches address 11 bugs, including two in the Windows Media Player software. However, no fixes were provided for two Microsoft Word flaws that have been used in a small number of attacks over the past week.

Media Player Patch Added

Microsoft had said it would release only six patches on Tuesday, but the company added the Windows Media Format update at the last minute after reports of attacks based on this vulnerability began surfacing. The Windows Media Format is used by Microsoft's Windows Media Player software.

In late November security vendors warned that a buffer overflow error could occur when the Windows Media Player processed ".asx" (Advanced Stream Redirector) media files, meaning that users would first need to be tricked into opening a malicious media file for the attack to work.

In its update Tuesday, Microsoft also patched a similar bug in the way the media player processes ".asf" (Advanced Systems Format) files.

IE Patch Details

The Internet Explorer patch fixes four bugs. It is also rated critical, and is noteworthy because some of these bugs will probably begin to be exploited by hackers by week's end, says Gunter Ollmann, director of IBM Internet Security Systems' X-Force threat analysis service.

Enterprise administrators should also pay close attention to an SNMP (Simple Network Monitoring Protocol) patch also issued today, Ollmann says.

Microsoft has rated this patch as important rather than critical because SNMP is normally blocked at the firewall and turned off by default on Windows systems. However, it is widely deployed as part of the network monitoring infrastructure in the enterprise, and is often used on critical servers, Ollmann says.

Ollmann believes this SNMP patch is the "most important" update for enterprise customers.

"Since the service is widely deployed in the enterprise and since it's commonly deployed on servers, we think this would be an important attack vector for enterprises," he says.

Visual Studio Patch

The remaining updates include a critical fix for Visual Studio 2005 and important updates for Windows and Outlook Express, Microsoft said.

Microsoft defines critical flaws as bugs that could allow the propagation of an Internet worm without any action on the part of the victim.

The company's next security updates are due January 9.

  • Recommend this story?
  • 0 Yes
    0 No

"Details on Today's Microsoft Patches" Comments

 
Learn more about the Windows Phone PCWorld Gift Guide

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links