February's Patch Tuesday and Windows is airtight once again.
There is good news for all users of Microsoft software this Patch Tuesday in February. Microsoft has remedied all previously known critical weak points that attackers were able to use to get control of vulnerable systems remotely. Users of Office will be especially pleased now that the four critical holes in Word and the one in Excel 2000 that have been known for some time have finally been remedied. The fifth hole in Word that was announced turned out to be a variation of an older one. In addition, the critical vulnerability in the ADODB.Connection ActiveX control has also finally been fixed.
Furthermore, patches were released for the HTML Help ActiveX control in all versions of Windows except Vista. In Microsoft's line of security products -- the malware protection in Live OneCare, Antigen, Windows Defender, and Forefront -- the software vendor has remedied a flaw in the analysis of PDF files that attackers could exploit by means of specially prepared documents to get control of the system. The cumulative IE update concerns versions 5, 6, and 7, but not IE7 in Vista. This cumulative update sets the killbit for additional dangerous COM objects and remedies a flaw in the analysis of replies from an FTP server.
Updates classified as "important" have been released for the Windows shell of XP and Server 2003 as well as for XP's Image Acquisition Service. Both of these vulnerabilities allow attackers to get administrator rights on unpatched systems under certain circumstances. Microsoft also ranks other patches as "important": the one for the OLE dialog and the Microsoft foundation class (MFC) in various versions of Windows and the RichEdit function in all versions of Office except for the new Office 2007. The MFC hole also affects Visual Studio .NET. In light of the large number of critical updates and the broad range of software affected, users of Microsoft should install the patches as quickly as possible via the automatic update function in Windows or do so right away from the Windows update website.
Interestingly, Microsoft's bulletins say in most cases that the new Windows Vista is neither affected by the problems in the operating system, nor by those in software that is vulnerable on other versions of Windows. Possibly, the new protective mechanisms in the successor to XP prevents these vulnerabilities from being exploited on Vista -- at least until attackers find ways to get around them.