Microsoft patches new Windows flaw

Microsoft on Tuesday detailed a new vulnerability in Windows XP and Windows Server 2003 that could enable an attacker to remotely execute malicious code.

The software maker described the problem as "important," its second-highest rating for such problems. Antivirus software maker Symantec, meanwhile, characterized the vulnerability as "high risk," citing the impact that there could be if the vulnerability was successfully exploited.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The flaw exists in the way Windows' Help and Support Center validates information that is sent to it. The software maker released a patch for the vulnerability and urged customers to "install the update at the earliest opportunity." The patch is posted to the company's security Web site, as is a bulletin outlining the flaw.

The bulletin was released as part of Microsoft's regularly scheduled monthly security update, according to Stephen Toulouse, a security program manager in the Microsoft Security Response Center. As for the rating level, Toulouse said Microsoft typically only deems vulnerabilities "critical"--the highest level--if they can be exploited without the user taking any action.

The announcement of the flaw comes as Microsoft works to battle the outbreak of the Sasser worm and its variants. The software giant has been touting the arrest of a German teenager believed responsible for Sasser and other recent infections.

However, unlike Sasser, the latest vulnerability cannot be exploited simply through an e-mail worm. According to Symantec and Microsoft, there are a number of steps the user would need to take in order for their system to be compromised. Most likely, an attacker would have to host a Web site with a page designed to exploit the vulnerability and convince a user with an unpatched system to visit the site and perform several actions.

Microsoft warned of the vulnerability that led to Sasser in a bulletin last month.

The patch released Tuesday by Microsoft to fix the new flaw also makes two other changes designed to make Windows more secure. First, Microsoft removed a feature in Windows XP that gave users the option to upgrade a DVD decoder, in a move designed to prevent malicious exploitation of the feature.

Second, Microsoft eliminated a feature in the Help and Support Center that sometimes prompts people to send out information on their system's hardware after they run the "Found new hardware" wizard. Now, instead of being prompted to send their hardware information, users will now get an error message at the end of installing new hardware.

[iKenny]

Another one?!

How many security holes, design errors, and general flaws is it
going to take for people to realize that maybe Windows isn't an
operating system to be using? I certainly can't trust a company
that keeps saying their operating is secure and then patching it
for another flaw every week.

I actually don't mind this....

In case you didn't know, Microsoft usually puts out a couple of patches every month, on the first (sometimes second) tuesday of that month. Yesterday would have been the second tuesday, so they are keeping up with thier plan.

Also, I find this method of releasing patches much better then many other companies. Sometimes a bug will be known about for weeks or months, but nothing is done about it other then the company saying 'We're working on it'. In my opinion Microsoft has shown itself to be a much more responsible company of late. They used to do patch management the old way, and it eventually caught up to them. An OS has way more lines of code then any other program, and there is just too much that can go wrong. True that doesn't make it alright to have errors, but their constant patches show me that they are trying to attone for those errors.

Now to sit back and watch all the Linux and Mac users bash me for defending Windows....

[bjbrock]

You are an idiot.

You obviously haven't been burned or had a loss of data or had to pay big bucks to get a computer back on line after having so much fun downloading patches. MS is not atoning for anything. They are trying to keep their market share.

I have run across 5 pc today that bombed on windows update and won't complete the critical update. I doubt you do enough with your PC to know the diference between quality software and trash. And you letter shows your small IQ.

I don't do Mac or Linux and have sold and supported MS software for 13 years. So it doesn't take a Mac or Linux supporter to see you are an idiot.

I love a good arguement

While its true that I personally have never been burned, I do however deal with it everyday, or at least everytime a patch comes out. See, its my job to be paid those big bucks to bring those computers back online. Microsoft is atoning for its bad software, as thats what atonement means; To make amends for prior errors. Whether its for market share, user satisfaction, or a private wish to annoy every single PC user is beside the point really.

What I gather from your post is a few things. 1: you would rather there be no patches or at least that patches were much less frequent. 2: you would like to bite the hand that feeds you (you hate or at least greatly dislike Microsoft, yet it obviously is part of the reason you have a job). 3: your like me in that you look for something to argue about, simply to argue. And finally 4: you make personal attacks for no discernable reason (at least none I can really see).

Now in reply to those points. 1: I agree, there should be very few patches in the IT world, however, regardless as to who you are, there will be problems and holes. Call it luck but I have almost never had any problem installing patches from any vendor, which is probably why I tend to like working in this field. 2: Your proclamation that you sell and support MS and yet still find it to be vastly inferior is rather hypocratic. Either you don't like your line of work, or like many, you have an alternate persona for the internet. 3: I suppose it is my fault for dropping the line ("Now to sit back and watch all the Linux and Mac users bash me for defending Windows.... "). Oh well, at least it breeds discussion. 4: meh, I'm thick-skinned, send some more if it makes you feel better.

On a final note, what exactly were you refering to when you said "And you letter shows your small IQ"? Was it my spelling mistake of 'attone' or was it the entire post?

Time out for you two. LoL

There will never be a computer, OS nor software that will be completely free of its problems. I guarantee if any software company like Microsoft touted that their product was unhackable, somebody smarter and faster would be there willing to show thats untrue.

My best advice is to have a regular scheduled backup of any important data to a hard disk. This way when your system does crash and you end up doing a complete recovery you can at least import that information back onto the system.

I never judge a persons IQ by their spelling, some of the smartest people I know cant spell worth a darn. I also think that kid from Germany should be on one of the anti-virus companys payroll for the amount of extra revenue they received, but what do I know anyway.

I will continue using windows as my OS and put up with some set-backs from time to time in order to make my life easier.