Microsoft

Another Microsoft vulnerability has been disclosed, along with proof-of-concept code.

The so-called heap-overflow vulnerability affects Windows help files in multiple versions of Windows XP, Windows Server 2003, Windows NT, and Windows 2000. Researchers at Security Focus reported that the Help File viewer is prone to a heap-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data into insufficiently sized memory buffers.

The problem arises when the application handles a malformed or malicious Windows Help File.

Microsof released four security fixes it deems critical as part of its regularly scheduled software update on Tuesday, while it corrected a handful of problems caused by last week's emergency patch.

Three of the updates marked with Microsoft's highest threat rating plug holes in the Windows operating system; the vulnerabilities could be used by hackers to install malicious code on personal computers.

The fourth fixes a security flaw in Microsoft Content Management Server software, a business application.

Ryan Naraine has taken Microsoft to task for refusing to officially credit security researcher Cesar Cerrudo for finding a privilege escalation exploit in Windows XP, which was disclosed on the MoKB project late last year. Microsoft isn't pretending that Cerrudo never discovered the bug or never shared the inf 56b ormation; it's refusing to officially credit Cerrudo because it feels that Cerrudo broke Microsoft's responsible disclosure policy. But who was really being irresponsible here?

Several security experts criticised Microsoft this week for not releasing a fix earlier for the Windows ANI flaw, calling for the company to reassess the way it handles critical patches.

Among those voicing concern was Nand Mulchandani of Determina, which initially discovered the flaw last year and disclosed it to Microsoft in December.

"The question is, is the public better served by holding these critical vulnerabilities until a super Tuesday or issue them out of band?" he said.

A vulnerability in the way Windows handles animated cursors puts users at risk of being pwnd, and several nefarious websites are already trying to exploit the flaw, according to the SANS Internet Storm Center.

Microsoft Corp. will sell a version of its Xbox 360 with a 120-gigabyte hard drive and a souped up high-definition video connection, in a bid to broaden the appeal of its popular console beyond video games.

Earlier versions of Xbox 360 came with 20 gigabytes of storage. But that filled up too quickly with movies, TV shows and games from the Xbox Live Marketplace online store, said Peter Moore, a corporate vice president in Microsoft's Interactive Entertainment group.

After first blaming unsavvy users for being duped into revealing their Xbox Live account information, Microsoft is admitting that its own support staff is at fault.

Gamers have been complaining that hackers broke into their Xbox Live accounts and made off with users' points and information. Last week, Microsoft said it was investigating reports of fraudulent activity on the Xbox Live network.

The European launch of the PlayStation 3 has been met by both cheers and indifference across the continent.

London saw the biggest turnout and all those that turned up for the midnight event also got a free HD TV to go with their new console.

But in France, Germany and many other places crowds of keen gamers were conspicuous by their absence.

A just-disclosed bug in Windows Vista's built-in e-mail program can be used by hackers to run malicious code on a victimized PC, said a researcher today who two weeks ago touted an exploit-for-sale service.

Microsoft acknowledged the report, and said it is investigating the vulnerability.

Despite claims of Microsoft Xbox Live user account fraud, Redmond executives this week denied any major security breaches in its multiplayer gaming system.

"Despite some recent reports and speculation, I want to reassure all of our six million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net," Xbox Live's Director of Programming Larry Hyrb wrote on his blog.