After 2 months in which Microsoft released only a smattering of security fixes, the company on Tuesday issued seven security patches, two of which it identified as critical. However, the software giant still hasn't fixed a set of glaring problems with Microsoft Internet Explorer (IE), its dominant Web browser that has come under increasing attack in recent weeks.
The two critical fixes address problems with Windows components, including the Task Scheduler and HTML Help; both problems affect numerous Windows versions. And in both cases, a successful exploit could lead to remote users running code on infected systems, leading Microsoft to label them as critical vulnerabilities.
A third fix, which patches an important security vulnerability in Windows NT 4.0 Service Pack 6a (SP6a), relates to that system's Microsoft IIS component. A successful exploit of this bug could also let an attacker take over the system, Microsoft said.
Another important patch, which affects Windows Server 2003, Windows XP, Windows 2000 Server, and NT 4.0 fixes a bug that can be exploited only when a malicious user gains a valid logon with Administrator privileges. By using a flaw in the Windows shell, that user could remotely take control of the machine.
All the fixes are available through the usual Microsoft software patch systems, including Windows Update and Automatic Updates. Administrators and others looking for more information about all seven patches should refer to the Microsoft Web site.
In related news, Microsoft on Tuesday released a tool that will remove the Download.Ject virus from infected computers. Earlier this month, the virus, which exploits a still-unpatched hole in IE, caused security researchers to start warning users to avoid Microsoft's bug-ridden browser. The tool is available for free download from the Microsoft Web site.