Microsoft's Windows 7 Bug Fixed With Security Update

Microsoft downplayed the fact that its March Patch Tuesday security update included the first fix for its Windows 7 beta operating system, repairing a critical error that allowed hackers to infiltrate a user's computer with a malicious image file.

In its security bulletin, released Tuesday, Microsoft stated that the critical fix was for just about every version of Windows, including Windows 2000, XP, Vista, Server 2003 and Server 2008. However, the software giant failed to mention that the update also was intended for Windows 7 under its "Affected Software" heading.

Microsoft did, however, mention that the update affected Windows 7 under the "Frequently Asked Questions" section. In addition to Windows 7, the patch repaired critical flaws in Windows Server 2008 Service Pack 2 Beta and Windows Vista Service Pack 2 Beta.

Altogether, the patch bundle resolved a total of four image vulnerabilities in the Windows kernel, the most serious of which could allow hackers to install malicious code on users' computers without any user intervention by enticing a victim to view a maliciously crafted EMF or WMF image file. The user could then download a Trojan or other piece of malware that would enable hackers to take complete control of the machine and steal sensitive data. Other vulnerabilities repaired by the update could leave the user susceptible to a denial of service attack.

Microsoft's March security update addressed two other security flaws, both deemed "important," that could allow hackers to spoof Web sites in identify theft schemes.

One of the flaws, occurring in the Windows DNS server and the Windows WINS server, could allow a remote attacker to redirect Web traffic to his or her own malicious Web site. Once users opened the maliciously crafted page, attackers could then entice users to submit sensitive password, credit card or bank account information for identity theft activities. Hackers also could infuse the page with malware designed to record keystrokes and steal information, security experts said.

The other "important" fix repaired a bug in the Windows Secure Channel security package that could allow miscreants to spoof a Web site by gaining access to the authentication credentials utilized by the end user.

While there are thus far no known attacks exploiting the vulnerabilities, security experts recommend that users update their systems with the latest patches, which are available for download on Microsoft's Web site, as soon as possible.