Microsoft Defeats a Seven-Year-Old Bug

Microsoft recently released two new patches, one of which fixes a security hole that the company has been trying to plug since 2001. Amazingly, no one exploited the hole during those seven years.

Previous patches had mitigated the problem, so Microsoft rated its severity level as Important, the second-highest rating on the company's four-tier scale.

This bug primarily affects Windows XP (which some 700 million people still use) and Windows 2000. For Windows Vista, the risk is only Moderate, Microsoft's second-lowest rating, and the bug affects a key authentication protocol for a network technology called System Message Block (SMB). Exploiting the security hole would let an attack program capture user or program credentials, granting a successful attacker full control over the compromised PC.

Why did it take so long to fix?

"[In 2001] we said that we could not make changes to address this issue without negatively impacting network-based applications.... For instance, an Outlook 2000 client wouldn't have been able to communicate with an Exchange 2000 server," Christopher Budd, a security program manager at Microsoft's Security Response Center, said in a blog post.

If you don't get patches installed automatically, you can obtain this patch and more info from a Microsoft security bulletin.

The second patch blocks three security holes in all currently supported versions of Windows: Vista (including Service Pack 1), XP SP2 and SP3, and Windows 2000 SP4, and 64-bit versions of Windows.

The flaws relate to Windows' XML Core Services, which let Web developers write Web applications. As a user, you may not interact with these services, but they're on your PC anyway. One bug (rated Critical by Microsoft) affects only XML Core Services 3.0. The other two (both of them rated Important) affect later versions.

Be sure to apply this patch pronto. If you have automatic updates enabled, the patches should arrive automatically. But patches want to install themselves at once, usually followed by a reboot. Rather than tolerate the interruption during a busy day, I have my system set so I can pick when I want to do the updates. If you're like me, or for some reason didn't get the automatic download, get the patch from a Microsoft security bulletin.

Patches for Firefox

As Firefox grows in popularity, white- and black-hat hackers are poking around more intently in search of security holes. In fact, Firefox 3 has had two different patch releases in the past two months. The latest, version 3.0.4, fixes four sets of newly discovered bugs that the browser's volunteer developers rank as critical.

The update fixes holes in the browser's engine, in its session restore feature, and in two network functions. All four vulnerabilities involve scripting; the only workaround prior to the update was to disable JavaScript, which would cause many sites to stop working properly. Download version 3.0.4 or 2.0.0.18 (depending on your version of Firefox) to get the fixes.

There are no known attacks yet but don't put off patching. From inside the browser, go to Help, Check for Updates.

Subscribe to the The Advisor Newsletter

Comments