Get your fix: Microsoft sinks 18 holes

Windows and flaws…

Microsoft on Tuesday made available fixes for 18 security vulnerabilities in Windows and Office software.

The patches were delivered in seven security bulletins, five of which Microsoft deems “critical”, its most serious rating. One of the urgent fixes addresses a flaw in a Windows component that could be used to spread a worm. Other updates deal with Office flaws that have already been used in targeted attacks.

Four updates tackled five Windows-related issues, including a security hole in a Windows component called “mailslot”. The flaw poses the most severe risk in Tuesday’s bunch, security specialist Symantec said in a statement. By sending a specially crafted network packet, an intruder could use the hole to remotely commandeer a vulnerable computer, without user interaction. The flaw affects Windows 2000, Windows XP and Windows Server 2003, Microsoft said in security bulletin MS06-035.

This means the “mailslot” flaw could be exploited to launch a worm that could wreak havoc on the internet. Because the flaw allows malicious code to execute without the PC owner doing anything, such as opening a file, it gives a worm a way to self-replicate.

Monty Ijzerman, senior manager at McAfee Avert Labs said in a statement: “This vulnerability is the only worm candidate among the patched vulnerabilities today.” Systems running Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1 are at less of a risk when it comes to this flaw because the operating systems do not have services listening on mailslots by default, according to Microsoft.

A “mailslot” is a temporary mechanism utilised by applications and operating system processes to facilitate unidirectional data transfer on Windows systems.

Full article: silicon.com