Security threats Toolkit

Microsoft releases second monthly patch

Tags:
Strategy,
Security,
Office,
Upgrade

Published: 12 Nov 2003 09:25 GMT

Microsoft has released three security updates for the Windows operating system and one update for Office.

The three Windows updates, announced on Tuesday, are ranked as "critical," which is Microsoft's highest rating on the seriousness of security flaws. The updates fix at least eight security issues. The Office update -- required for Office 97, 2000 and XP but not 2003 -- fixes two flaws in the popular productivity program.

"One of the things that we kind of did in this case is that we included several patches in some of the fixes," said Stephen Toulouse, security programme manager for Microsoft's security response centre.

"We are trying to drive the deployment of fixes for our customers. It is one of the things our customers have asked us to do."

The updates are the second instalment since Microsoft revamped its patch-publishing schedule to release fixes on the second Tuesday of every month. The November release, however, is problematic in the United States, because the second Tuesday is Veterans Day. Foreseeing that the release might pose a problem for federal administrators, the Federal Computer Incident Response Centre (FedCIRC) sent an email to many US agencies, warning their network custodians that the patches are coming out.

"FedCIRC has coordinated with Microsoft on the release of four Microsoft security bulletins," the email stated. "They will be released tomorrow, Veterans Day, 11 November, 2003. Please keep an eye out for them and consider the affect that they may have on your infrastructure."

Perhaps the most serious flaw is a memory error in the Windows Workstation service, which is a software component that facilitates access to network resources such as printers and files. The vulnerability could allow an attacker to gain control of a person's PC via the Internet in much the same way the MSBlast worm was spread to hundreds of thousands of computers in August.

The patches fix several flaws in Internet Explorer that could allow an attacker to compromise a person's PC by drawing the user to a Web site designed for that purpose or with an email, if the victim is using an unpatched version of Outlook 98 or Outlook 2000. Called cross-domain vulnerabilities, the flaws affect Internet Explorer 5.01, 5.5 and 6 on every Windows platform, except for Windows Server 2003. That latest version of Microsoft's enterprise operating system has default settings that limit the affect of the flaws.

The move to monthly patches has garnered some criticism from security experts.

"Microsoft wants to make it easier for administrators, but it's more likely that the bad guys are going to release the patches the following week," said Richard Forno, an independent security consultant.

The regular patch publishing schedule may inspire more corporate system administrators to upgrade their systems, but it will also allow underground programmers a predictable time to focus on writing code to exploit the flaws, he said.

For that reason, Forno believes the move is more likely about minimising the number of times Microsoft flaws are covered in the press.

"It think it is more to get Microsoft's name out of the news," he said. "It is good marketing but lousy security."