February 13, 2007 12:54 PM PST

Microsoft patches 20 security flaws

Microsoft on Tuesday released fixes for 20 vulnerabilities in a variety of products including Windows, but none of the operating system flaws affect Vista.

The fixes arrived in a dozen security bulletins, released as part of Microsoft's monthly patch cycle. Six of the alerts were tagged "critical," the company's most serious rating. These flaws could enable an attacker to gain complete control over a vulnerable computer with no action, or minor action, on the part of the user, Microsoft warned.

The critical vulnerabilities are in Windows, Internet Explorer, Office and in Microsoft security tools such as Windows Live OneCare and Windows Defender. None of the Windows or Office flaws affect Vista or Office 2007, Microsoft's latest updates. However, Windows Defender ships as part of Vista, so the new operating system is at risk from that direction.

Microsoft used its February patch day to clear a backlog of "zero-day" flaws, or security holes that have been publicly disclosed but not fixed. Seven of the 20 vulnerabilities addressed by Tuesday's bulletins were zero-days, and five of those were in Office applications. Microsoft planned to issue patches for the Office zero-day bugs last month, but postponed their delivery.

Most of the Patch Tuesday flaws are only potentially harmful if people with vulnerable PCs visit a malicious Web site or open an infected document. For example, the Microsoft security tools could be compromised when they scan a rigged PDF file, according to the company's advisory.

The updates will be pushed out to Windows PCs that have enabled Automatic Updates. They are also available for manual download from Microsoft's Web site.

See more CNET content tagged:
flaw, vulnerability, Microsoft Office, fix, Microsoft Corp.

8 comments

Join the conversation!
Add your comment
Umm, they'd better get in gear, then:
They can start here (which breaks the oh-so-ballyhooed UAC entirely):

<a class="jive-link-external" href="http://blogs.zdnet.com/security/?p=29" target="_newWindow">http://blogs.zdnet.com/security/?p=29</a>

(apparently Vista doesn't even have the no-admin feature on anymore... so much for MSFT and security, hey?)

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
Not at all
As explained it is a design choice, and no secret. I have known about this for months and I am no "hacker". What would you prefer; a prompt saying "Give this program Admin Yes/No" or a prompt saying "Give this program Admin level 0, 1, 2, 3 or 4?". Since Windows has to be usable by everyone and maintain compatibility the only answer was the "Yes/No". Additionally, if a installer does not need admin it can be designed to not request it via a manifest. The detection heuristics only apply to installers not written for Vista. Besides, why is this different from sudo?

She is doing this for attention, no more, no less, and she should be ignored.
Posted by Siegfried Schtauffen (269 comments )
Link Flag
Yep ... see the cycle begin again ....
Windows vista SURE is the safest windows verion yet ... (snicker)
is that saying much ???? NOT ...

<a class="jive-link-external" href="http://news.wired.com/dynamic/stories/M/" target="_newWindow">http://news.wired.com/dynamic/stories/M/</a>
MICROSOFT_SECURITY?
SITE=WIRE&#38;SECTION=HOME&#38;TEMPLATE=DEFAULT

Oh and yes .. just visiting a malicious site can erase all you data
... sweet ... i guess that is the price for tying in speech
recognition with javascript and activeX controls ....

Would i let a Vista running PC access to personal info knowing
this ??? let me think ..... Never ... Why ? simple ... these first flaws
are just the first tree and there is a MIGHTY big H U G E forest
right behind the bend in the path ...

And yes as Joanna Rutkowska says the whole UAC model is a
joke , a bad one played on unsuspecting users that trusted a
company for yet too many years . As one of my teachers and
tutor in the IT business told me "The only way to secure a PC
running windows can be done in a simple step ... pull the
powercord". I see that advice still hasnt changed .. and yes i use
i5 , NetBSD , FreeBSD in work and at home... so far the kiddies
and the black hats out there are still kept out and my routers
sure are NOT Ciscos. I see this time worn adage still IS true after
all ..
Posted by MacHeads (70 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.