Microsoft released three security bulletins this week, two of them rated
critical, one rated merely important.
Microsoft released five security bulletins on Dec. 14, all of them ranked
“important,” the second highest level of severity.
Possibly more crucial to your safety than the five well-publicized patches,
however, are three fixes that’ve been released more quietly. The issues that
these upgrades fix include:
MS04-040 (889669): In an effort to close an Internet Explorer
security hole that had become the target of a few initial exploits across the
Internet, Microsoft released a new cumulative patch for IE on Dec. 1, rather
than waiting for the Redmond company’s regular release date, the 2nd Tuesday
of the month.
The November edition of Microsoft’s monthly security patch day yielded only a
single, non-critical patch for a security issue last week (see related story
below). Don’t let your guard down, however. There are at
least three other, far more dangerous security exploits that are currently
making the rounds on the Internet and demanding your attention.
An updated version of the malicious Bagle e-mail worm, officially dubbed
W32/Bagle.bb@MM, now attempts to quietly shut down the Windows Firewall that
Microsoft introduced in Windows XP Service Pack 2 (SP2). The virus also
attempts to disable various antivirus software.
With Microsoft, no news is good news — but Microsoft didn’t
give us “no news” on Oct. 12.
Instead, on its regular 2nd-Tuesday patch-release schedule, Microsoft
issued warnings for a record number of newly discovered security
flaws. The company said it was fixing 22 different software flaws in
various products. The patches for all these problems required 10
separate security bulletins. Seven of the 10 bulletins are rated by
Microsoft as “critical,” the most severe rating, which indicates a
security hole that can give hackers access to your system from across
In the Sept. 23 issue of the Windows Secrets Newsletter, we warned
you about the so-called GDI+/JPEG Processing flaw. This security hole allows a
vicim’s PC to be infected merely viewing a hacked JPEG file in Windows XP,
Microsoft Office XP/2003, and numerous other Microsoft products (and
third-party products that rely on Microsoft programming libraries). That
issue provides numerous hyperlinks to help you download the several patches
you need for different versions of MS software.
MS04-028 (833987): Microsoft issued on Sept. 14
a set of critical security patches for a flaw in numerous Microsoft products,
including several versions of Windows, Office, and various
Microsoft issued on July 27 a major series of service-pack upgrades for Office 2003 and various Office System products, including OneNote and Visio.
MS04-025 (KB 867801): Microsoft issued a cumulative update for
Internet Explorer on July 30 that fixes three critical flaws with the
browser. This security bulletin includes patches to stop the Download.Ject
Trojan attacks that are “in the wild” and which succeeded against many
machines in mid-June.