Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.

But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user.  The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.

Joshua Talbot, security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.

“An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”

Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.

Microsoft advisory states: “Windows Vista and Windows 7 support a wide range of Bluetooth radio devices, and will install the Bluetooth driver when a removable Bluetooth device is added to the system. As a result, all supported versions of Windows Vista and Windows 7 are affected.”

But Talbot added that many Windows laptops are configured to make connectivity as easy as possible for users, and will turn on Bluetooth when the computer’s wireless Internet component is active or searching for networks (which, for many machines, is all the time).

Microsoft fixed 21 other security vulnerabilities this Patch Tuesday; all of them were less severe, so-called “privilege escalation” flaws that are of little use unless the attacker already has a foothold on the target’s system.

Updates are available from Windows Update, or via Automatic Updates. As always, if you experience any problems before, during or after applying these updates, please drop a note in the comments section about your experience.

Microsoft on Tuesday released 16 software updates to fix at least 34 security vulnerabilities in its Windows operating systems and other software. More than half of the updates address flaws Microsoft rates “critical,” meaning the bugs can be exploited with little to no user interaction.

For organizations that need to test patches before deploying them, Microsoft said four of the updates deserve priority:

• MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
• MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
• MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
• MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

Another update, labeled “important,” fixes at least eight security problems in all versions of Microsoft Excel, including Office for Mac.

More information on this week’s updates is available at this summary. Updates are available from Windows Update and via Automatic Updates. You may want to set aside some time for this update package: Among the critical patches is an update for Microsoft’s .NET software, and .NET updates are typically bulky. If you experience problems after applying any of the updates, please leave a note about it in the comments below.

Microsoft issued just two updates today to fix at least three security flaws in its Windows and Microsoft Office products, a merciful respite following last month’s record-setting patch push. One of the patches issued today earned a critical rating, the company’s most serious.

The critical patch is mainly a concern for enterprises that are running Windows Server 2003 and 2008 server operating systems. The Office update fixes two vulnerabilities in Microsoft Powerpoint, and affects older versions of Office, including Office XP, Office 2003, Office 2007 and 2004 for Mac (Office 2010 for Mac and Windows are not affected).

Updates are available through Windows Update or via Automatic Updates. As always, please leave a note in the comments if you experience any troubles during or after the installation of these patches.

Microsoft released a record number of software updates yesterday to fix at least 64 security vulnerabilities in its Windows operating systems and Office products, including at least one that attackers are actively exploiting.

Updates are available for all versions of Windows via Windows Update or Automatic Update. Nine of the patches earned Microsoft’s “critical” rating, which means the vulnerabilities they fix could be exploited to compromise PCs with little or no action on the part of the user, apart from visiting a booby-trapped Web site or opening a tainted file.

Redmond said three of patches should be top priorities. Two of them fix critical vulnerabilities in the “server message block” or SMB service, which handles Windows networking. Attackers could exploit the flaw addressed by MS11-020 by sending a single, specially crafted evil data packet to a targeted system. This is the type of flaw that should concern any network administrator, because it has high potential to be used to power an automated computer worm.

Microsoft also called attention to MS11-018, which is a cumulative security update for Internet Explorer that fixes critical flaws in all versions of the browser except the latest IE9, which is not affected. One of the IE vulnerabilities — the MHTML flaw I wrote about in January — is currently being exploited; another was discovered at the Pwn2Own hacking competition earlier this year.

Most XP users will find that a total of 22 to 30 patches will be installed, and more if Office 2010 is installed.  The PC will be very busy after reboot and will need about four to five minutes to catch up and finish finalizing all the patches.  Included in this month’s patch batch is a .NET Framework update, which usually takes a while to download and install.

In addition to the security updates, Microsoft released two security related tools. The Rootkit Evasion Prevention Tool “will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit,” wrote Dustin Childs, a senior security program manager at Microsoft. “For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe.”

Microsoft expanded the applicability of its Office File Validation tool, a security feature the company initially released in December 2010 for Office 2010 that has now been extended to work with Office 2003 and 2007. “This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), will validate the file structure as it is being opened by the user,” wrote Modesto Estrada, Microsoft’s Office Program Manager. The validation will check the file to make sure it conforms to expected Office specifications.  If this process fails the user will be notified of potential issues.”

As always, please leave a comment if you experience any difficulties during or after installing these patches.

Microsoft has issued security updates to fix at least four security holes in its Windows operating system and other software. Not exactly a fat Patch Tuesday from Microsoft, but depending on how agile you are in updating third-party applications like Flash, iTunes and Shockwave, you may have some additional patching to do.

One of the updates from Microsoft earned a “critical” rating, meaning Redmond believes it could be exploited to break into vulnerable systems with little to no help from users. That flaw, a bug in the way Windows Media Player and Media Center process certain types of media files, could be leveraged by convincing a user to open a tainted video file. This flaw affects Windows XP, Vista and Windows 7.

Microsoft has more details on and links to the other two patches — rated “important” — at its Security Response Center blog. The updates are available through Windows Update or via Automatic Update. The software giant chose not to address an Internet Explorer vulnerability that hackers have been exploiting since late January, although the company has issued a stopgap “FixIt” tool for that flaw.

In other news, Apple has released an update to iTunes that corrects more than 50 security vulnerabilities in the Windows version of this software. That patch bundle is available from Apple Downloads or via the Apple Software Update program that now comes bundled with iTunes and other Apple software for Windows.

I’m a bit behind in reporting on important updates to Adobe’s Flash and Shockwave players that fix a load of problems with these widely-installed software packages. The Flash update bumps the player up to version 10.2.152.26, and plugs at least 13 security holes on both Windows and Mac installations. To check which version you have installed, visit this page: There is a decent chance that Adobe’s built-in updater has already prompted you to update this program. If your version is lower than 10.2.152.26, it’s time to update.

Updates are available via Adobe’s Download Center or directly from this page. The latter option avoids Adobe’s obnoxious Download Manager, which may prompt you to install additional software that you don’t need or want. Remember that if you are using both Internet Explorer and a non-IE browser like Firefox or Opera, you will need to install Flash twice, once with the IE ActiveX installer, and again with your other browser. Google Chrome users should already have this version of Flash deployed (but do take a second to check this page to make sure you have the right version, just in case).

The critical Shockwave patch brings the player to version 11.5.9.620, and addresses at least 21 security holes in the program. But readers should check to see whether they even have this program installed before installing the latest version. If you visit this link and see a prompt to install Shockwave, then you don’t have the program. If you do have it installed, you should see a version number beneath the Shockwave icon. Updates are available for Windows and Mac versions of Shockwave.

Update, Mar. 9, 8:31 a.m. ET: It seems that many readers already have an even newer version of Flash installed, v. 10.2.152.32. I checked with Adobe, and they confirmed that this 10.2.152.32 is in fact the latest version, although it contains no additional security fixes. More information on the .32 update is available here.

Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendor Tipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.

Microsoft’s bundle includes a dozen updates addressing at least 22 security flaws in its Windows operating system and other software. Five of the vulnerabilities earned a “critical” rating, Redmond’s most serious. Six of the Windows flaws fixed in today’s release have been public for some time, although security experts at Symantec say they’re only aware of one of the flaws being actively exploited in the wild — a bug in the way Internet Explorer handles cascading style sheets. Updates are available through Windows Update or Automatic Update.

Microsoft also issued an update that changes the default behavior in Windows when users insert a removable storage device, such as a USB or thumb drive. This update effectively disables “autorun,” a feature of Windows that has been a major vector for malware over the years. Microsoft released this same update in February 2009, but it offered it as an optional patch. The only thing different about the update this time is that it is being offered automatically to users who patch through Windows Update or Automatic Update.

Update, Feb. 18, 11:56 a.m. ET: As F-Secure notes in a useful blog post, Microsoft has once again failed to disable auto-run, because this update is not offered by default, as Microsoft previously indicated.

Original story:

Adobe released an update for its Acrobat and free PDF Reader software that that fixes at least 29 security problems with these products. Adobe is urging users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh to update to Adobe Reader X (10.0.1), available now. Adobe says that an update to fix these flaws in UNIX installations of its products is expected to be available by the week of February 28, 2011.

Web site administrators publishing with WordPress should be aware that WordPress issued an update — version 3.0.5 that plugs a handful of security holes. This is a relatively minor update — there don’t appear to be any gaping holes — but please remember to back up your installation and database before proceeding with the update, just to be on the safe side.

Following up on changes to its stated disclosure policy, Tipping Point began releasing details of a number of flaws in third-party applications. All of the vulnerabilities Tipping Point detailed in this month’s release involve applications commonly found in corporate IT environments. Toward the end of 2010, the company announced it was changing its disclosure policy to light a fire under vendors that might otherwise drag their feet in fixing important security flaws.

From the company’s August 2010 post: “In an effort to coerce vendors to work with us on patching these issues more promptly, the ZDI is announcing a 6-month deadline going into effect on 08/04/10,” the company wrote. “This applies to all future vulnerabilities submitted through our program as well as all currently outstanding reports. This means that the first vulnerability report, if needed, will be disclosed on 02/04/11. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigations in an effort to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately.”

As always, please post a note in the comments section if you experience any weirdness in applying any of these updates.

Microsoft today issued 17 software updates to plug a total of 40 security holes in computers running its Windows operating system and other software. December’s bounty of patches means Microsoft fixed a record number of security vulnerabilities this year.

According to Microsoft, the most urgent of the patches is a critical update that fixes at least seven vulnerabilities in Internet Explorer versions 6, 7 and 8, including three that were publicly disclosed prior to today’s update. Microsoft said that at least one of the public flaws is already being actively exploited.

Microsoft also called special attention to the only other critical bulletin in the batch – a vulnerability in the OpenType Font Driver in Windows.  Redmond warns that an attacker could compromise a machine on a network simply by getting a user to open a shared folder containing a malicious OpenType font file.

According to McAfee, Microsoft has rounded out the year with 106 security bulletins, the highest number in history, and a significant jump over the 74 security bulletins released in 2009. This year also brings a record number of vulnerabilities patched, at 266, McAfee noted.

Obviously, merely counting the number of flaws a vendor fixes doesn’t tell you much about how safe it is to use that vendor’s products, but it’s the foundation for a more careful analysis. It may take some time to dig through the data, but it will be interesting to see whether Microsoft has gotten any nimbler in responding to zero-days (the IE zero-day mentioned above was first detailed on Nov. 3).

Microsoft also patched the last of the zero-day vulnerabilities exploited by the infamous Stuxnet computer worm. This flaw exists in the Windows Task Scheduler, and allows a regular user to schedule a task that will run with elevated (administrator) privileges – effectively giving an attacker full access to the system. Researchers at Symantec warned today that at least two new threats are now exploiting this flaw.

Patches are available through Microsoft Update (using IE) or Automatic Update. As always, please drop a note in the comments section if you experience any issues with this month’s updates.

Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately.

Microsoft normally releases security updates on “Patch Tuesday,” the second Tuesday of each month. But this Tuesday, Mar. 30, Microsoft will release a cumulative update for Internet Explorer that fixes a critical software flaw in IE 6 and IE 7. The browser flaw lets hackers break into vulnerable systems remotely, with little help from users.

Redmond initially said it was aware of only “targeted” attacks that leveraged this vulnerability. But Microsoft’s statement that accompanied this announcement suggests that these attacks may have become more widespread.

“We have been monitoring this issue and have determined an out-of-band release is needed to protect customers,” Microsoft said in a statement on its Security Response Center blog today.

Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday (April 13).

Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.

Five of the 13 update bundles Redmond issued today earned a rating of “critical,” meaning Microsoft considers these flaws so serious that attackers could exploit them to seize control over vulnerable systems just by getting users to visit a hacked or malicious Web site.

Seven of the most serious bugs are addressed by two patches for Microsoft Office software. Critical flaws in Microsoft Paint, Microsoft Directshow, and a critical ActiveX (Internet Explorer) vulnerability round out the most recognizable of the serious flaws.

According to Microsoft, the most dangerous of the flaws — that is, those that computer crooks are most likely to try and succeed at exploiting soon, include:

-A critical vulnerability in the “server message block” or SMB service — which handles Windows networking (curiously, this is rated critical on all supported Windows versions except Windows Vista and Server 2008);

-A nasty bug in the Windows Shell Hander, the component that allows preview thumbnails to Windows Explorer (affects only Windows 2000, XP and Server 2003);

-The ActiveX/IE and Directshow flaws I mentioned above.

If you encounter any issues or serious problems after installing any or all of these updates, please drop a line in the comments below. Generally, serious problems with Windows patches are rare, and occur mainly in business systems with custom software. Usually, it becomes clear very soon after Patch Tuesday if there are any problems with consumer systems. Just try not to let too much time pass by before applying all of the relevant updates to your machine.

Windows Vista and Windows 7 users can check for updates by clicking “Start,” typing “Windows Update” and selecting the resulting option. Windows XP and W2k users will need to visit the Windows Update Web site with Internet Explorer. Alternatively, Windows users with Automatic Update enabled will likely receive a prompt within the next 12-24 hours to install this month’s round of patches.