Microsoft patches 20 security flaws

Microsoft on Tuesday released fixes for 20 vulnerabilities in a variety of products, including one that is part of Windows Vista.
Written by Joris Evers, Contributor
Microsoft on Tuesday released fixes for 20 vulnerabilities in a variety of products including Windows, but none of the operating system flaws affect Vista.

The fixes arrived in a dozen security bulletins, released as part of Microsoft's monthly patch cycle. Six of the alerts were tagged "critical," the company's most serious rating. These flaws could enable an attacker to gain complete control over a vulnerable computer with no action, or minor action, on the part of the user, Microsoft warned.

The critical vulnerabilities are in Windows, Internet Explorer, Office and in Microsoft security tools such as Windows Live OneCare and Windows Defender. None of the Windows or Office flaws affect Vista or Office 2007, Microsoft's latest updates. However, Windows Defender ships as part of Vista, so the new operating system is at risk from that direction.

Microsoft used its February patch day to clear a backlog of "zero-day" flaws, or security holes that have been publicly disclosed but not fixed. Seven of the 20 vulnerabilities addressed by Tuesday's bulletins were zero-days, and five of those were in Office applications. Microsoft planned to issue patches for the Office zero-day bugs last month, but postponed their delivery.

Most of the Patch Tuesday flaws are only potentially harmful if people with vulnerable PCs visit a malicious Web site or open an infected document. For example, the Microsoft security tools could be compromised when they scan a rigged PDF file, according to the company's advisory.

The updates will be pushed out to Windows PCs that have enabled Automatic Updates. They are also available for manual download from Microsoft's Web site.

Editorial standards