Microsoft Plugs Critical Vista Hole

Microsoft has just patched another critical hole in Vista that it knew about as long ago as last Christmas. The delay was similar to its lag in patching the serious (and heavily targeted) animated-cursor flaw I told you about last month.

The new problem involves the way that the OS’s Client/Server Run-time Subsystem (CSRSS) handles error messages, and it affects Windows 2000 SP4 and Windows XP too. This flaw may not be as severe as the cursor problem, as Microsoft says you’d have to perform certain unspecified “actions” on a malicious Web site before an assault could succeed. But if you were to get snared, an attacker could run any command or program on the victimized PC. Proof-of-concept code, which often presages attacks, is available, but no active attacks on this hole have been reported yet.

If you have Automatic Updates enabled, the fix should already be installed. Otherwise, make sure to get hold of it at Microsoft Technet.

In addition, Microsoft has fixed a critical weakness in its Agent technology in Windows 2000 SP4 and Windows XP SP2. The flaw can be exploited through Internet Explorer 6 if you visit a Web page with a poisoned link or banner ad. While the Agent is normally supposed to run little animated helpers (like the infamous Clippy), a malicious site need not display one prior to delivering an attack. Instead, the bad code could lurk inside a seemingly harmless link.

Vista is unaffected by this hole, as is Internet Explorer 7. You can get the patch via Automatic Updates or download it from Microsoft Technet.

Poisoned Pics
Adobe’s Photoshop CS2 and CS3 contain critical flaws that can give an attacker control over your PC if you use either program to open bitmap images (those ending with .bmp, .dib, or .rle) that have been rigged, according to security firm Secunia and the French Security Incident Response Team. At least one proof-of-concept exploit is available online. Adobe hadn’t released a patch at this writing, so be careful with e-mailed or downloaded images. Get more info from Secunia.

Also, an independent researcher nabbed a $10,000 prize from 3Com’s TippingPoint division by exploiting a new bug in Apple’s QuickTime player to break into a Mac running OS X. Apple released a patch 11 days later, before any actual attacks surfaced. QuickTime 7.1.6 corrects this flaw, which affects Windows as well as Mac OS X; get the patch from Apple, or from within the program by clicking Help, Update Existing Software.