 |
 Microsoft warns of 22 new security flaws
October 13, 2004
Microsoft Corp. yesterday released an unusually large number of software security updates to fix flaws in its products, some of which could be exploited to remotely take over computers running the Windows operating system.
The free updates, available at Microsoft's Windows Update Web site, are designed to fix at least 21 vulnerabilities, several of which dwell on nearly every version of the Windows operating system and affect millions of computers. A successful exploit of the most severe of these vulnerabilities could allow an attacker to take complete control of an affected system and remotely execute malicious code, Microsoft said.
Microsoft rated seven of the flaws as critical, its most dire warning, saying they could allow attackers to take control of computers when certain Web sites are visited. Three of the flaws are associated with the company's Internet Explorer Web browser. Microsoft's highest severity rating for software flaws is its "critical" ranking, while "important" is considered slightly less severe.
One flaw, in Microsoft Excel, even affects Apple Computer's Mac OS X.
For instance, the flaw in Exchange Server 2003, a program that manages e-mail, could allow intruders to commandeer machines so they can be used to send spam and "phishing" e-mail scams, said Russ Cooper, chief scientist at TruSecure Corp. "There are all kinds of bad things you could do with this flaw since Exchange servers are installed in some pretty high-profile companies," he said.
"The latest updates continue Microsoft's tendency to combine fixes for multiple problems in a single large patch. They should get used to the idea of being snowed under on 'patch Tuesday'. They also obviously need to get used to the idea that combined fixes make testing more difficult," he added. Some of the fixes being announced today are also for problems that were discovered several months ago, noted Russ.
Some users may have already fixed some of the flaws. All of the patches released yesterday for Windows XP -- used by more than 200 million home computer users -- were included in Service Pack 2, a security update that Microsoft began distributing in August. XP users who have installed Service Pack 2 must install only one of the patches made available yesterday.
Microsoft has also re-released a patch from last month's graphics vulnerability, fixing a conflict with Windows XP Service Pack 2. Microsoft said it reissued the patch because it did not install properly on many PCs.
At the time, many security experts criticized Microsoft for not making it clear that people with Office XP installed still had to get another patch from Microsoft's Office Update Web site to be completely protected.
As a result of that criticism, Microsoft agreed to make the patch for Office XP also available on its Windows Update site, said Stephen Toulouse, Microsoft's security program manager.
|
|
