Opinion: Microsoft plugs critical Vista hole

Microsoft has just patched another critical hole in Vista that it knew about as long ago as last Christmas. The delay was similar to its lag in patching the serious (and heavily targeted) animated-cursor flaw I told you about last month.

The new problem involves the way that the OS's Client/Server Run-time Subsystem (CSRSS) handles error messages, and it affects Windows 2000 SP4 and Windows XP too. This flaw may not be as severe as the cursor problem, as Microsoft says you'd have to perform certain unspecified "actions" on a malicious Web site before an assault could succeed. But if you were to get snared, an attacker could run any command or program on the victimized PC. Proof-of-concept code, which often presages attacks, is available, but no active attacks on this hole have been reported yet.

If you have Automatic Updates enabled, the fix should already be installed. Otherwise, make sure to get hold of it at Microsoft Technet.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft has just patched another critical hole in Vista that it knew about as long ago as last Christmas. The delay was similar to its lag in patching the serious (and heavily targeted) animated-cursor flaw I told you about last month.

The new problem involves the way that the OS's Client/Server Run-time Subsystem (CSRSS) handles error messages, and it affects Windows 2000 SP4 and Windows XP too. This flaw may not be as severe as the cursor problem, as Microsoft says you'd have to perform certain unspecified "actions" on a malicious Web site before an assault could succeed. But if you were to get snared, an attacker could run any command or program on the victimized PC. Proof-of-concept code, which often presages attacks, is available, but no active attacks on this hole have been reported yet.

If you have Automatic Updates enabled, the fix should already be installed. Otherwise, make sure to get hold of it at Microsoft Technet.

In addition, Microsoft has fixed a critical weakness in its Agent technology in Windows 2000 SP4 and Windows XP SP2. The flaw can be exploited through Internet Explorer 6 if you visit a Web page with a poisoned link or banner ad. While the Agent is normally supposed to run little animated helpers (like the infamous Clippy), a malicious site need not display one prior to delivering an attack. Instead, the bad code could lurk inside a seemingly harmless link.

Vista is unaffected by this hole, as is Internet Explorer 7. You can get the patch via Automatic Updates or download it from Microsoft Technet.

Poisoned pics

Adobe's Photoshop CS2 and CS3 contain critical flaws that can give an attacker control over your PC if you use either program to open bitmap images (those ending with .bmp, .dib, or .rle) that have been rigged, according to security firm Secunia and the French Security Incident Response Team. At least one proof-of-concept exploit is available online. Adobe hadn't released a patch at this writing, so be careful with e-mailed or downloaded images. Get more info from Secunia.

Also, an independent researcher nabbed a $10,000 prize from 3Com's TippingPoint division by exploiting a new bug in Apple's QuickTime player to break into a Mac running OS X. Apple released a patch 11 days later, before any actual attacks surfaced. QuickTime 7.1.6 corrects this flaw, which affects Windows as well as Mac OS X; get the patch from Apple, or from within the program by clicking Help, Update Existing Software.

Vista problem plagues iPods

Microsoft patched a Windows Vista bug that can corrupt an iPod when you use the 'Safely Remove Hardware' feature or disconnect the iPod using Windows Explorer. Though Microsoft provided no details on just how a player is affected by the bug, the company's notice says that you'll have to use iTunes to restore all the music on your iPod if it happens. (It also says that Apple recommends always using iTunes to disconnect an iPod.) Get the patch and more info from Microsoft.

Acer battery recall

Risk of overheating led Acer to recall 27,000 Sony-made lithium ion batteries in TravelMate and Aspire laptop PCs sold between May 2004 and November 2006 in the United States. For details of the recall, go to Acer's Battery Replacement Program. For more about the Sony battery cells' long-term problems, check out the risks of lithium ion technology.

Messenger trouble

Yahoo Messenger has a faulty ActiveX control that leaves you open to attack via IE if you view a poisoned Web page. IE 7 and Windows Vista mitigate but don't remove the threat. Any 8.x version installed before March 13, 2007, is at risk; download the most recent YM version.

X marks the holes

Apple fixed 25 security flaws in OS X a mere month after it corrected 45 other bugs. Pick up the fixes from Apple's auto-update feature or from Apple's Security Update.

For more PC news, visit PC World. Story copyright PC World Communications, Inc.