The three Windows updates, announced Tuesday, are ranked as "critical," Microsoft's highest rating on the seriousness of security flaws. The updates fix at least eight security issues. The Office update--required for Office 97, 2000 and XP but not 2003--fixes two flaws in the popular productivity program.
"One of the things that we kind of did in this case is that we included several patches in some of the fixes," said Stephen Toulouse, security program manager for Microsoft's security response center.
Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.
The updates are the second installment since Microsoft revamped its patch publishing schedule to release fixes on the second Tuesday of every month. The November release, however, is problematic in the United States, because this year, the second Tuesday is Veterans Day. Foreseeing that the release might pose a problem for federal administrators, the Federal Computer Incident Response Center (FedCIRC) sent an e-mail to many U.S. agencies, warning their network custodians that the patches are coming out.
"FedCIRC has coordinated with Microsoft on the release of four Microsoft security bulletins," the e-mail stated. "They will be released tomorrow, Veterans Day, 11 November 2003. Please keep an eye out for them and consider the (effect) that they may have on your infrastructure."
Perhaps the most serious flaw is a memory error in the Windows Workstation service, a software component that facilitates access to network resources such as printers and files. The vulnerability could allow an attacker to gain control of a person's PC via the Internet in much the same way the MSBlast worm was spread to hundreds of thousands of computers in August.
The patches fix several flaws in Internet Explorer that could allow an attacker to compromise a person's PC by drawing the user to a Web site designed for that purpose or with an e-mail, if the victim is using an unpatched version of Outlook 98 or Outlook 2000. Called cross-domain vulnerabilities, the flaws affect Internet Explorer 5.01, 5.5 and 6 on every Windows platform, except for Windows Server 2003. That latest version of Microsoft's enterprise operating system has default settings that limit the effect of the flaws.
The move to monthly patches has garnered some criticism from security experts.
"Microsoft wants to make it easier for administrators, but it's more likely that the bad guys are going to release the patches the following week," said Richard Forno, an independent security consultant.
The regular patch publishing schedule may inspire more corporate system administrators to upgrade their systems, but it will also allow underground programmers a predictable time to focus on writing code to exploit the flaws, he said.
For that reason, Forno believes the move is more likely about minimizing the number of times Microsoft flaws are covered in the press.
"It think it is more to get Microsoft's name out of the news," he said. "It is good marketing but lousy security."
