Microsoft issued four security bulletins on Tuesday to fix five holes in Windows and Office, including a critical vulnerability in a Windows Help and Support Center feature that has been targeted by attacks.
The vulnerability in the online help feature, which is delivered with supported editions of Windows XP and Windows Server 2003, could allow an attacker to take control of a computer by luring a computer user to a malicious Web site. The bulletin has a severity rating of "critical" for Windows XP and "low" for Windows Server 2003, according to the advisory.
Microsoft and others criticized Google researcher Tavis Ormandy for publicly disclosing the hole before the software giant had a chance to develop a fix and releasing a proof-of-concept exploit. Ormandy defended his actions, saying he needed to get Microsoft's attention to fix the problem, and other researchers supported him. Within days of the disclosure, there were attacks discovered that exploited the hole.
More: http://news.cnet.com/8301-27080_3-20010404-245.html
The vulnerability in the online help feature, which is delivered with supported editions of Windows XP and Windows Server 2003, could allow an attacker to take control of a computer by luring a computer user to a malicious Web site. The bulletin has a severity rating of "critical" for Windows XP and "low" for Windows Server 2003, according to the advisory.
Microsoft and others criticized Google researcher Tavis Ormandy for publicly disclosing the hole before the software giant had a chance to develop a fix and releasing a proof-of-concept exploit. Ormandy defended his actions, saying he needed to get Microsoft's attention to fix the problem, and other researchers supported him. Within days of the disclosure, there were attacks discovered that exploited the hole.
More: http://news.cnet.com/8301-27080_3-20010404-245.html