Another Vista Hole Plugged by Microsoft

Discussion in 'Vista News' started by Jason, May 25, 2007.

  1. Jason

    Jason

    Joined:
    Sep 26, 2005
    Messages:
    2,081
    Likes Received:
    1
    Location:
    Chicago,IL
    Microsoft has just patched another critical hole in Vista that it knew about as long ago as last Christmas. The delay was similar to its lag in patching the serious (and heavily targeted) animated-cursor flaw I told you about last month.



    The new problem involves the way that the OS's Client/Server Run-time Subsystem (CSRSS) handles error messages, and it affects Windows 2000 SP4 and Windows XP too. This flaw may not be as severe as the cursor problem, as Microsoft says you'd have to perform certain unspecified "actions" on a malicious Web site before an assault could succeed. But if you were to get snared, an attacker could run any command or program on the victimized PC. Proof-of-concept code, which often presages attacks, is available, but no active attacks on this hole have been reported yet.



    If you have Automatic Updates enabled, the fix should already be installed. Otherwise, make sure to get hold of it at Microsoft Technet.



    In addition, Microsoft has fixed a critical weakness in its Agent technology in Windows 2000 SP4 and Windows XP SP2. The flaw can be exploited through Internet Explorer 6 if you visit a Web page with a poisoned link or banner ad. While the Agent is normally supposed to run little animated helpers (like the infamous Clippy), a malicious site need not display one prior to delivering an attack. Instead, the bad code could lurk inside a seemingly harmless link.



    Vista is unaffected by this hole, as is Internet Explorer 7.
     
    Jason, May 25, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.