School technology leaders, take note: Microsoft Corp. on Feb. 8 released eight security fixes that carry its highest threat rating of “critical” and said all the vulnerabilities could allow an attacker to take complete control of an infected computer system if users don’t apply the patches.
Seven of the critical security vulnerabilities affect various parts of the Windows operating system and server software, including Microsoft’s Internet Explorer browser, media player, and instant messaging program. The eighth critical problem is with Microsoft’s Office XP business software.
The Redmond, Wash., software maker also released another four security fixes that carry lesser threat levels but could still allow an attacker to gain some control of an affected system if left unpatched.
Stephen Toulouse, a Microsoft security program manager, conceded that “this is a month that has a significant number of updates for customers to deploy” but added that Microsoft works to make fixes available as soon as it has them.
Toulouse said anyone running any version of Windows will need to install at least one of the updates. Many of the fixes also apply to Service Pack 2, the massive security upgrade for Windows XP that was released last summer.
Among the fixes is a particularly important cumulative update for Internet Explorer, which includes patches for vulnerabilities that have already been made public. Toulouse said some people have figured out how to exploit some of the vulnerabilities patched with this update, but the company isn’t seeing widespread attacks yet.
Still, he noted that since attackers have a head start, these flaws could be exploited much more quickly than others.
Toulouse said another particularly important critical update could let an attacker take control of a computer by getting the user to view a particular image, perhaps through the company’s MSN or Windows Messenger or its Windows Media Player. The flaw takes advantage of imaging technology called “PNG Processing.”
Vincent Gullotto, a vice president with security software maker McAfee Inc., said his researchers were especially concerned about a critical flaw in some Windows server software, because that problem could create a worm-like attack that spreads with little interaction from users.
The large number of security updates could cause problems for large businesses and school districts, which must rush to get their employees’ computers secured while making sure the security fixes don’t cause problems with regular operations.
Toulouse said Microsoft would be offering extra support for business and education customers to deal with the mass of fixes.
The monthly fixes came on the same day that Microsoft announced plans to acquire security software maker Sybari Software Inc. as part of efforts to produce its own for-fee security products. Microsoft’s software is a frequent and popular target for internet-based attackers, and the company has made security a priority amid increasing hassles for schools and consumers.
Browser feature could facilitate scams