April 14, 2009, 4:08 PM — Microsoft has fixed critical flaws in its Windows, Office, and Internet Explorer software in the company's largest set of security patches this year.
Released Tuesday, the updates fix a number of well-known problems in the company's software, including vulnerabilities in Excel and the WordPad text converter that have been exploited by attackers in a small number of online attacks.
A few other known bugs also were fixed Tuesday, including some issues in Windows and Internet Explorer that could be used to pull off a so-called "carpet-bombing" attack, and Windows flaws that could give attackers extra privileges on a Windows machine.
All told, Microsoft released eight software updates, fixing dozens of bugs in its products. Five of the updates are rated critical by Microsoft, meaning they fix flaws that could be exploited by attackers to run unauthorized software on a computer.
Systems administrators should probably patch the Excel and WordPad bugs first, said Eric Schultze, the chief technology officer with Shavlik Technologies. "There are known issues out here, and why flirt with danger," he said.
The patch for Internet Explorer -- always a favorite target of attack by hackers -- and another critical fix for Microsoft's DirectX multimedia software should also be given top priority, he said.
Another critical patch is in the HTTP software used by Windows computers to connect to Web sites. This update is rated critical for all supported versions of Windows.
Microsoft also fixed a long-standing Internet Information Services (IIS) issue that could allow an attacker to get unauthorized privileges on a computer. This kind of attack, called "token kidnapping," was first reported more than a year ago by Cesar Cerrudo, the CEO of security research firm Argeniss. A token kidnapping attack could be very dangerous on servers that allow users to upload code -- Web servers used by a hosting provider, for example -- because it could give users administrative control over the entire system, letting them control other users' Web sites.
"If you allow people to upload code to the Web server, then you have got to get that one fixed right away," Schultze said.
The carpet-bombing patches are also interesting. Last year, security researcher Nitesh Dhanjani showed how Apple's Safari browser could litter a victim's desktop with downloaded programs. Another researcher soon found a way to combine this behavior with some flaws in Windows and Internet Explorer in order to run unauthorized software on a victim's PC. Apple patched the Safari part of the attack last year, and Microsoft has now followed suit and fixed the underlying Windows and IE issues, meaning that even if attackers found some other way to place software on a victim's machine, the carpet-bomb attack would no longer work.
Microsoft administrators may be busy with today's patches, but for some, patching is only beginning. Oracle is also set to release a major update Tuesday, fixing 43 bugs in its database, application server and other products.
