- Microsoft Corp. yesterday released an unusually large
number of software security updates to fix flaws in its products, some
of which could be exploited to remotely take over computers running the
Windows operating system.
- The free updates, available at Microsoft's Windows Update
Web site, are designed to fix at least 21 vulnerabilities, several of which
reside on nearly every version of the Windows operating system and affect
hundreds of millions of computers.
- Microsoft rated seven of the flaws as critical, its most
dire warning, saying they could allow attackers to take control of computers
when certain Web sites are visited. Three of the flaws are associated with
the company's Internet Explorer Web browser.
- "I've never seen Microsoft release this many patches
at one time," said Darwin Herdman, chief technology officer at RedSiren
Inc., a Pittsburgh-based Internet security company.
- Some computer experts worried especially about security
holes affecting software products mainly used by large and mid-size businesses.
Russ Cooper, chief scientist at Herndon-based TruSecure Corp., referred
to the patch intended to plug a flaw in Microsoft's Server 2003 operating
system and Exchange Server 2003, a program that manages e-mail.
- The flaw in Exchange could allow intruders to commandeer
machines so they can be used to send spam and "phishing" e-mail
scams, Cooper said.
- "There are all kinds of bad things you could do
with this flaw since Exchange servers are installed in some pretty high-profile
companies," he said.
- Some users may have already fixed some of the flaws.
All of the patches released today that affect Windows XP -- the operating
system of choice of more than 200 million home computer users -- were included
in Service Pack 2, a massive security update Microsoft released in August.
Consequently, XP users who have installed Service Pack 2 only must install
two of the patches made available today.
- One of those patches covers an Internet Explorer security
hole rated "important" by Microsoft. The other is a re-release
of a fix Microsoft released last month to mend a problem in the way the
Windows operating system and Microsoft Office products process digital
image files that could let attackers take control of affected PCs. Hackers
have been exploiting the problem to conduct relatively minor attacks for
weeks now. Microsoft said it re-issued the patch because it did not install
properly on many PCs.
- At the time, many security experts criticized Microsoft
for not making it clear that people with Office XP installed still had
to get another patch from Microsoft's Office Update Web site to be completely
- As a result of that criticism, Microsoft agreed to make
the patch for Office XP also available on its Windows Update site, said
Stephen Toulouse, Microsoft's security program manager.
- -Brian Krebs is a staff writer for washingtonpost.com.
- © 2004 The Washington Post Company http://www.washingtonpost.com/ac2/wp-dyn/A28180-2004Oct12?language=printer