11
Jan 11

Microsoft Plugs Three Windows Security Holes

facebooktwittergoogle_plusredditpinterestlinkedinmail

Microsoft today released security updates to fix at least three vulnerabilities in its Windows operating systems, including one labeled “critical,” the company’s most serious rating. However, none of the patches address five zero-day flaws that can be used to attack Windows users.

The critical update targets two weaknesses present in all versions of Windows that Microsoft said hackers could exploit to break into unpatched systems just by getting users to visit a compromised or malicious Web site. A second update fixes a security issue in the Windows backup tool that affects Windows Vista machines.

The vulnerability in the Windows backup tool stems from a weakness that extends to hundreds of third-party, non-Microsoft applications built to run on Windows. I discussed this issue at length in a blog post in September, but the upshot is that Microsoft has made available a FixIt tool to help fortify a number of these applications against a broad swath of security threats that stem from a mix of insecure default behaviors in Windows and poorly-written third party apps. If you haven’t already done so, take a moment to read at least the short version of that post, and apply the supplied FixIt tool from Microsoft.

Microsoft chose not to address a number of outstanding, known vulnerabilities for which exploit code is publicly available. Redmond’s Jonathan Ness explains the company’s thinking in holding off on fixing these flaws in a post to the Microsoft Security Research and Defense blog.

Microsoft has released two separate FixIt tools to help users mitigate the threat from a couple of the more pressing outstanding vulnerabilities. If you use Windows, and especially if you browse the Web with Internet Explorer, you should take a moment to take advantage of these stopgap fixes, available here and here.

The updates are available through Windows Update or via the Automatic Update capability built into all supported Windows versions. As always, if you experience any problems or glitches that appear to be related to applying these updates, please drop a note in the comments section.

Tags: , , ,

12 comments

  1. Krebs, long time fan, first time commenting… ;-)

    I’ve noticed that both of those Fix It tools are actually the same ‘fix it tool’ #50590… I’m really perplexed as to if they actually mitigate both, or just one?

    I did confirm that the fix it DOES make the permissions change to shimgvw.dll as recommended in 2490606

    But I’m not sure about the CSS changes…

    fwiw…

    ps. keep up the great work!

  2. looking forward to more patches for future remote exploits! do read all of the descriptions in the patches, the number of remote exploits to take over the entire computer are hilarious. if cars were made with these many holes, would we be driving them? thumb me down, redmond clowns.

    • Rabid Howler Monkey

      @period If you patch your Windows, you won’t have to worry about vulnerabilities becoming exploits. And if you don’t use Windows, you are safer. But, I sincerely hope that you keep your Mac OS X, iOS, Linux (good luck with that Android fragmentaion) or BSD patched.

      Autos?

      “Auto Theft Prevention Tips – Minimize Your Chances
      http://crime.about.com/od/prevent/qt/prevention_auto.htm

      Reminds me of bullet lists for securing ones PC. My favorite is not leaving “personal identification documents, vehicle ownership title, or credit cards in your vehicle”.

    • You’re going to get marked down for your ignorance and perceived fanboyism than some false Microsoft allegiance. Those who will mark you up most likely share the same mentality! And just to say it, car analogies never translate well to computers! It’s an apples to oranges comparison at best.

  3. Thank you Brian for sifting through all this and making the results of your work available to us.

  4. Hi Brian,

    I applied the ‘fix-it’ for ‘Vulnerability in Graphics Rendering Engine could allow remote code execution’ (CSS). It changed all of my thumbnail photos to icons that would not open. I removed the fix and the thumbnails were restored and will now open. I use Windows XP Pro and IE8.

    Thanks,

    Frank

    • I think that was the intended effect. These workarounds are stopgap solutions until a true patch is released. Since the GRE vulnerability can be launched by loading shortcut icons the Fixit disables them. That is how I am understanding it.

      • I gathered the same thing, but for new items. It disabled all of my photos previously scanned and stored on my hard drive, including those that came directly from my camera. I wasn’t expecting to lose access to all photos.

        • It didn’t disable access to your photos. It just disabled the thumbnails view. You should be able to open and view the photos by right clicking any file, go to “Open with” and choose a program already listed (ex. Windows Picture and Fax Viewer, Internet Explorer, Paint, or possible any other program you have installed that can view image files) or use the “Choose Program” to select a specific program not listed. I’m also using XP Pro and IE8, but have Office 2003 installed and have set Microsoft Office Picture Manager as the default image viewer.

          Note: Windows Picture and Fax Viewer is usually set as the default image viewer and may not work with the Fixit installed, but others should still work using the method I stated above. :)

          While the Fixit’s are a temporary stop gap measure and can be considered a layer of defense, I rarely use them as I rely on a multi-layered defense (defense in depth) while waiting for an official patch. The layered defense provides peace of mind in knowing your system is not going to get easily exploited when these zero day’s are released. As has been mentioned numerous times before, one very important defensive measure is to use a non-admin account (limited user). :)

  5. gandalf french kissing smeagol

    “The critical update targets two weaknesses present in all versions of Windows that Microsoft said hackers could exploit to break into unpatched systems just by getting users to visit a compromised or malicious Web site.”

    Microsoft is more amusing than any stand up comic, they continue to provide patches for complete remote hijack vulns month after month, year after year.

    If Microsoft Windows were a heating pad, I’d expect a daily dildo up the pooper followed by canned laughter.

  6. Installation of KB2419640 with others caused my vista64 box to reboot at logon screen until removed in safe mode and reapplied afterwards. Apparently some number of Win7 users have experienced same. FWIW

    Cheers

  7. I’m still learning from you, as I’m improving myself. I definitely love reading all that is posted on your site.Keep the aarticles coming. I enjoyed it!


Read previous post:
Exploit Packs Run on Java Juice

In October, I showed why Java vulnerabilities continue to be the top moneymaker for purveyors of “exploit kits,” commercial crimeware...

Close