MS04-025 (KB 867801): Microsoft issued a cumulative update for
Internet Explorer on July 30 that fixes three critical flaws with the
browser. This security bulletin includes patches to stop the Download.Ject
Trojan attacks that are “in the wild” and which succeeded against many
machines in mid-June.
MS04-022 (KB 841873): Microsoft issued
seven security fixes on July 13 as part of its regularly scheduled monthly
security patch schedule. Two of these fixes, including MS04-022, are rated as ”
critical” by the software giant.
It’s been a tough couple of weeks for users of Internet Explorer,
the browser relied upon (default) about 95% of the
Web-surfing population worldwide. The most recent exploit
of IE security flaws, known as the “Download.Ject” attack, is
at this writing only partially patched a Microsoft
workaround. The confirmed existence of related but unpatched
holes is very likely to lead hackers to develop new attacks based on
the successful blueprints that have already swept the Internet.
An exploit is loose on the Internet that allows a Web site to infect a PC
running a fully patched version of Internet Explorer 6, and Microsoft at this
writing has no patch available to close the security hole.
MS04-015 (840374): Microsoft released only one security bulletin on May
11, the date of its customary 2nd Tuesday update for Windows.
This bulletin, MS04-015, is rated “important,” one step below the most severe
rating of “critical.” It affects only Windows XP and Windows Server 2003.
A fast-spreading worm named Sasser hit the computer world last week —
focusing more attention on MS04-011, a bug-ridden Microsoft security
patch that was designed to halt such threats.
MS04-011 (835732): Out of four major security updates released on Apr.
13 Microsoft on its regular monthly patch schedule, the MS04-011 bulletin
stands out as a whopper. It replaces more than a dozen previous security
patches that Microsoft delivered to users during the past five years. In doing
so, it attempts to close 14 newly discovered weaknesses.
Microsoft has not released any new security bulletins since the last
issue of Brian’s Buzz was sent out. The company probably won’t issue any more
such bulletins until its next regularly scheduled announcement on April 13,
which is the second Tuesday of this month.
I wrote in the Mar. 11 issue of Brian’s Buzz about three security
bulletins that Microsoft released as part of its normal monthly update
schedule on Mar. 9.
MS04-009 (828040): Microsoft has announced a security weakness
in Outlook 2002, which is available separately as well as in Office XP, that
can allow an attacker to take control of a PC if a malicious Web page
or e-mail message is viewed.