The November edition of Microsoft’s monthly security patch day yielded only a
single, non-critical patch for a security issue last week (see related story
below). Don’t let your guard down, however. There are at
least three other, far more dangerous security exploits that are currently
making the rounds on the Internet and demanding your attention.
An updated version of the malicious Bagle e-mail worm, officially dubbed
W32/Bagle.bb@MM, now attempts to quietly shut down the Windows Firewall that
Microsoft introduced in Windows XP Service Pack 2 (SP2). The virus also
attempts to disable various antivirus software.
With Microsoft, no news is good news — but Microsoft didn’t
give us “no news” on Oct. 12.
Instead, on its regular 2nd-Tuesday patch-release schedule, Microsoft
issued warnings for a record number of newly discovered security
flaws. The company said it was fixing 22 different software flaws in
various products. The patches for all these problems required 10
separate security bulletins. Seven of the 10 bulletins are rated by
Microsoft as “critical,” the most severe rating, which indicates a
security hole that can give hackers access to your system from across
In the Sept. 23 issue of the Windows Secrets Newsletter, we warned
you about the so-called GDI+/JPEG Processing flaw. This security hole allows a
vicim’s PC to be infected merely viewing a hacked JPEG file in Windows XP,
Microsoft Office XP/2003, and numerous other Microsoft products (and
third-party products that rely on Microsoft programming libraries). That
issue provides numerous hyperlinks to help you download the several patches
you need for different versions of MS software.
MS04-028 (833987): Microsoft issued on Sept. 14
a set of critical security patches for a flaw in numerous Microsoft products,
including several versions of Windows, Office, and various
Microsoft issued on July 27 a major series of service-pack upgrades for Office 2003 and various Office System products, including OneNote and Visio.
MS04-025 (KB 867801): Microsoft issued a cumulative update for
Internet Explorer on July 30 that fixes three critical flaws with the
browser. This security bulletin includes patches to stop the Download.Ject
Trojan attacks that are “in the wild” and which succeeded against many
machines in mid-June.
MS04-022 (KB 841873): Microsoft issued
seven security fixes on July 13 as part of its regularly scheduled monthly
security patch schedule. Two of these fixes, including MS04-022, are rated as ”
critical” by the software giant.
It’s been a tough couple of weeks for users of Internet Explorer,
the browser relied upon (default) about 95% of the
Web-surfing population worldwide. The most recent exploit
of IE security flaws, known as the “Download.Ject” attack, is
at this writing only partially patched a Microsoft
workaround. The confirmed existence of related but unpatched
holes is very likely to lead hackers to develop new attacks based on
the successful blueprints that have already swept the Internet.
An exploit is loose on the Internet that allows a Web site to infect a PC
running a fully patched version of Internet Explorer 6, and Microsoft at this
writing has no patch available to close the security hole.