Microsoft Corp. warned users on Tuesday of three new security flaws in its Windows and Word software and issued patches to fix the flaws, which could allow attackers to take over a computer system.
All three of the "critical"-rated security patches could potentially allow an attacker to take control of a personal computer and use it to steal data or launch other attacks, said Stephen Toulouse, a manager at Microsoft's Security Response Center.
"The key thing is really that we want to make people understand the risk with these flaws and that they enable automatic updates," said Toulouse, referring to a feature in Windows that downloads and installs the software patches automatically.
Two of the flaws are related to imaging technology used by Windows, which could potentially allow an attacker to take control of a system simply by having the user view a digital image that contains software code that exploits the flaw, which could be installed on a computer without the user's knowledge.
"Simply by viewing one of these malicious images you can become infected with anything from adware and spyware to any other suspicious code," said Oliver Friedrichs, senior manager at Symantec Corp.'s Security Response Center.
"We've really seen a proliferation of Web sites that exploit these types of software flaws," said Friedrichs, who recommended users install the patches from Microsoft and keep their anti-virus and security software up-to-date.
The Word flaw, which affects various versions of the word-processing program released in 2000 and 2004, could let an attacker take over a personal computer if a user opens a document file containing software code designed to exploit the flaw.
Microsoft issued the patches as part of its monthly security bulletin, which it adopted in 2003 to make it easier for users and computer system administrators to install patches and keep track of vulnerabilities in Microsoft's software.
Users can also download the patches to fix the software flaws at http://www.microsoft.com/security.
Microsoft, based in Redmond, Washington, has been working for the last three years to improve the security and reliability of its software under its Trustworthy Computing initiative, as more and more malicious software targets weaknesses in Windows and other Microsoft software. Source