Thursday, October 12, 2006

Zero Day

Here is an article about even more security flaws in XP. I really don't understand how Microsoft can come out with operating systems that are so prone to problems like this.

Microsoft releases 6 patches for flaws

October 12, 2006 - 12:16PM

Microsoft has released six patches to fix software flaws that carry its highest threat rating, including three for defects that attackers were already trying to exploit.
The company said all six of the critical flaws could allow an attacker to obtain some access to other people's computers.

The software maker also released four other patches to fix vulnerabilities that the company deemed less severe.
Customers can download all the patches for free on Microsoft's security website and also can sign up to have them automatically delivered to their computers. The automatic update system went down for several hours on Tuesday, but the problem was later resolved.
Microsoft said last month that it knew attackers were already trying to take advantage of defects in its Windows operating system, Microsoft Word software and PowerPoint presentation program.

Christopher Budd, a program manager with the Microsoft Security Resource Centre, said that the company had seen limited attacks exploiting the flaws, but were nevertheless recommending that users apply those and other patches immediately.
Such vulnerabilities are rare. In most cases, security experts quietly provide Microsoft evidence of a security flaw, allowing the company to fix the problem in secret and release a patch before attackers can take advantage of it.
But recently, the company has been hit with a number of so-called "zero-day" attacks, in which flaws are targeted before Microsoft is aware of them or can release patches.
Such attacks have prompted some security researchers to release their own interim fixes. Microsoft also has occasionally taken the unusual step of releasing patches outside of its normal monthly fix schedule, so users can be safeguarded more quickly.

Budd said Microsoft isn't seeing any specific pattern to the burst of zero-day attacks. But he said the company is seeing more focus on attackers trying to infiltrate computers through applications - such as Word or PowerPoint - rather than the Windows operating system.
Microsoft software is a constant target of internet attackers, in part because the company's products are so widely used.
Microsoft has yet to release a patch for one other publicly known flaw - one affecting the Internet Explorer browser that is part of its Windows operating system. Budd said the company was seeing very few attacks as a result of the flaw.

AP