Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Audio & Video Business Center Cameras Cell Phones & PDAs Desktop PCs Gadgets Gaming HDTV Laptops Macs & iPods Monitors Printers Software Spyware & Security Storage Upgrading Windows Vista & XP
Resource Centers
Asus Notebook Center
Intel Technology Center
CDW Solution Center
Lenovo Laptop Showcase
Try It Free
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Today at PC World
Today @ PC World
News, opinion, and links from the PC World staff.
Recent entries in this blog:
Tuesday, August 14, 2007 3:30 PM PT Posted by Stuart Johnston

How to Handle Microsoft's Abundance of Patches

Here it is Patch Tuesday again and, despite the fact that we're into the dog days of summer, Microsoft is patching the second-largest number of critical holes that it has fixed at any other time this year.

This month's patches are all over the Microsoft product map. But I was just talking with Amol Sarwate, manager of the vulnerability lab at security firm Qualys, who said the important thing to remember, especially this time around, is to start with the basics.

He was referring to patches that affect core operating system components.

For instance, one of today's patches fixes a flaw in the way Windows ? including Windows Vista ? handles what's called XML Core Services. This is a technology that enables programs written in JavaScript and other Microsoft development languages to run under Windows. So it functions as a service provided to other programs on Windows, including Internet Explorer.

Interestingly, and rather uniquely, this particular hole also affects the two most recent versions of Microsoft Office for Windows ? Office 2003 Service Pack 2 (SP2) and Office 2007 ? since they both use XML Core Services.

Not patching this one leaves you wide open to attack if you click on a malicious link in an e-mail or IM window, or visit a booby-trapped Web site. As Microsoft's security bulletin says, a successful exploit would enable the bad guys to take complete control of your PC. If you don't already have automatic updates enabled, you can get the patch here.

A second patch affects another core operating system component. This is called Object Linking and Embedding (OLE) automation, the technology that, for example, allows Office to display an Excel spreadsheet in a Word document. On Windows, this is a service provided by the operating system.

However, since Mac OS X isn't a Microsoft system, OLE automation support is provided in Office, so there is a patch for Office 2004 for Mac as well as for Windows 2000 SP4 and for Windows XP SP2, including the 64-bit editions of XP. Here again, clicking a link to a poisoned Web site would end up with your PC being completely compromised.

(Something I haven't mentioned a lot but should do more often is that sites that let users post their own content can be prime locations for these types of attacks, since there is, by definition, less policing of who uploads what to those types of sites.)

Check out the security bulletin, which includes a link to the patch.

Microsoft also patched a third operating system service, this one in Windows' graphics engine. This flaw is located in what's called the Graphics Device Interface or GDI. Here's how Microsoft describes GDI:

"[GDI] enables applications to use graphics and formatted text on both the video display and the printer. Windows-based applications do not access the graphics hardware directly. Instead, GDI interacts with device drivers on behalf of applications."

What a malicious interloper could do is send you an e-mail with a specially crafted attachment containing a corrupted image. If you click to open the image ? and don't have this patch installed ? chances are you're immediately hosed with a drive-by download or some other type of attack that's equally unpleasant. Alternately, you could be tricked into visiting a Web site with the rigged image.

The good news is that neither of these last two bugs affects Vista. The bad news is that only something like 60 million copies of Vista have been sold worldwide since Vista shipped in late January. That's a drop in the bucket in comparison to the estimated one billion PCs running Windows that Microsoft foresees will be in use by the end of this year.

Again, if you don't already have your PC configured to download and install bug patches, check out Microsoft's security bulletin which includes a link to the patch.

The other three critical patches mostly deal with Internet Explorer vulnerabilities. I've discussed those in my next post.

For more info on today's August Patch Tuesday drop, read Robert McMillan's IDG News Service report.

Comments
Post a comment Post a comment
Recent Posts
Can iPhone's Carrier-Switching Magic Be Replicated?
Microsoft Gains Traction in Search Wars with Desperate Ploy
Hands On with the Revamped Ask
Amazon Kindle 2: Details and Pictures Leaked
Samsung Innov8 Up Close
Nintendo DS Gets First-Person Shooter Game
Adobe Makes You the Housekeeper
Archives
View posts from:
 

PC World's Marketplace

PC World's Free Whitepapers

QUICK LINKS: cheap laptops cell phones laser printers HDTV reviews LCD TV Plasmas digital cameras laptop reviews security antivirus windows vista reviews digital camera reviews inexpensive desktop LCD wide screen monitors
tech news tech blogs community & forums laptop prices software reviews downloads
About UsContact UsAdvertiseASME GuidelinesNewslettersFAQIDG InternationalMagazine Customer Service
© 1998-2008, PC World Communications, Inc.Terms of Service AgreementPrivacy PolicyCommunity Standards
RSS FeedsXML

Visit other IDG sites: