Microsoft has just patched another critical hole in Vista that it knew about as long ago as last Christmas. The delay was similar to its lag in patching the serious (and heavily targeted) animated-cursor flaw I told you about last month.
The new problem involves the way that the OS’s Client/Server Run-time Subsystem (CSRSS) handles error messages, and it affects Windows 2000 SP4 and Windows XP too. This flaw may not be as severe as the cursor problem, as Microsoft says you’d have to perform certain unspecified “actions” on a malicious Web site before an assault could succeed. But if you were to get snared, an attacker could run any command or program on the victimized PC. Proof-of-concept code, which often presages attacks, is available, but no active attacks on this hole have been reported yet.
If you have Automatic Updates enabled, the fix should already be installed. Otherwise, make sure to get hold of it at Microsoft Technet.
In addition, Microsoft has fixed a critical weakness in its Agent technology in Windows 2000 SP4 and Windows XP SP2. The flaw can be exploited through Internet Explorer 6 if you visit a Web page with a poisoned link or banner ad. While the Agent is normally supposed to run little animated helpers (like the infamous Clippy), a malicious site need not display one prior to delivering an attack. Instead, the bad code could lurk inside a seemingly harmless link.
Vista is unaffected by this hole, as is Internet Explorer 7. You can get the patch via Automatic Updates or download it from Microsoft Technet.
Recent Comments