On CBS MoneyWatch: 11 Buzzwords That Should Be Banned
BNET Business Network:
BNET
TechRepublic
ZDNet
74 TalkBacks

By Robert Lemos
Posted on ZDNet News: Apr 13, 2004 8:23:00 PM

Microsoft released on Tuesday fixes that cover at least 20 Windows flaws, several of which could make versions of the operating system vulnerable to new worms or viruses.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

At least six of the flaws could make the OS susceptible to programs similar to the MSBlast worm and its variants, which have infected more than 8 million computers since last August. Another flaw affects a common file used by Internet Explorer, Outlook and Outlook Express and opens the way for the type of virus that executes when PC users click a specially crafted Web link.

The software giant released four patches to cover the 20 security issues, as part of its monthly update schedule. Microsoft wouldn't comment on the level of risk the flaws present, instead maintaining that companies that apply the fixes won't be in danger.

"If you are running a personal firewall, you are at reduced risk from a lot of these vulnerabilities," said Stephen Toulouse, security program manager for the Microsoft Security Response Center. "But we are absolutely taking this seriously."

The largest patch, MS04-011, fixes at least 14 security flaws. A security hole in the Help and Support Center affects both Windows 2003 and Windows XP. Another flaw in the Windows Meta File image format could allow an attacker to create a digital picture file that could take control of a Windows NT, 2000 or XP computer. At least six of the 14 flaws could result in a remote user taking control of a Windows computer.

Toulouse said that instead of taking a piecemeal approach, Microsoft waited to release some patches so it could present a more comprehensive set of fixes. "Rather than shipping the same files over three months, we are trying to provide customers one update that has all the fixes," he said.

However, some security researchers took the software giant to task for waiting to release a particular patch that covers many of the flaws. Microsoft's strategy, they said, was keyed more toward public relations than customer convenience.

"These releases confirm a trend that has been happening with Microsoft security lately--that they are willing to leave customers vulnerable for long periods of time, all in order to try to bundle security fixes, which leads to the (impression) of having less vulnerabilities," said Marc Maiffret, chief hacking officer for eEye Digital Security. "This is completely unacceptable."

eEye Digital Security found six of the flaws Microsoft reported on Tuesday. The company urged Windows users to update their systems as soon as possible. Maiffret has previously criticized Microsoft for taking as long as 200 days to fix flaws. He said Microsoft took as many as 216 days to fix the latest set of flaws.

Other security researchers were less critical of the software giant.

"You can't generalize that Microsoft takes too long to fix flaws," said Gerhard Eschelbeck, chief technology officer for vulnerability assessment company Qualys. "It depends on where the flaw is in the code."

Qualys found two of the flaws Microsoft announced on Tuesday. A flaw in a networking code library common to many versions of Windows only took the giant two months to fix, said Eschelbeck. Microsoft had practice, since another flaw had been found in that same library by eEye Digital Security in February.

"A lot of the flaws in this release are derivative of ones that we have seen before," said Qualys' Eschelbeck. "Typically, someone finds a flaw in a particular area and a lot of researchers start looking in that code."

That also happened with the flaw that lead to the MSBlast worm. A second, similar flaw was found in October, but it took Microsoft until now to fix it.

Overall, Eschelbeck believes that the software giant is doing the right thing by releasing a single patch for all the flaws that affect the same software components, rather than quickly releasing the fixes one at a time. Qualys had previously found that it takes at least 30 days for half of the vulnerable companies on the Internet to fix the most critical flaws. Easing the pain of patching is important, he said.

"It's a single patch on a scheduled day," he said. "Everyone knows today is Microsoft patch day. I think this is the right thing to do."

Eschelbeck recommended that companies apply at least the first patch from Microsoft by the end of the week.

Information on the four patches can be found on Microsoft's Web site.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 74 Talkback(s)
The 4 MS "critical patches" are difficult to install.
I have a Dell computer with 2 megHertz and Windows XP HomeEdition. When I try to download the patches, it took about 15 minutes to download. But it took several HOURS to install and still finally fail... (Read the rest)
Posted by: bphsi Posted on: 04/17/04 You are currently: a Guest | | Terms of Use
Rep has been engaged, patches are in transmission...  Mike Cox | 04/13/04
Do you really...  Christopher McLendon | 04/13/04
If you must know...  Mike Cox | 04/13/04
re: If you must know...  cbradshaw@... | 04/14/04
Leave him alone. Mikey's fun...  BitTwiddler | 04/13/04
Project Status Report  hparks | 04/13/04
Great entertainment as always Mike.  TWRX | 04/13/04
Further research for you.  Cardinal_Bill | 04/13/04
I read this when it was first published  mds_z | 04/14/04
Guess I'd better go patch...oh, wait  Chad_z | 04/13/04
Linux has tons of patches also  cancelled@... | 04/13/04
Linux has tons of patches also  cancelled@... | 04/13/04
But the difference between Windows and OpenSource is...  Zogg | 04/13/04
Is that Windows works and users like it.  No_Ax_to_Grind | 04/13/04
Exactly...  Raichu | 04/13/04
Ha!  tslocum7 | 04/14/04
You did *read* the article, right?  Zogg | 04/14/04
yeah right  meetoo | 04/14/04
The real differnce is the servers  voska | 04/14/04
Got An Answer For Ya  nikoli | 04/14/04
Linux is free, Windows is not  dlu | 04/13/04
No such thing as a free lunch  TheTruthGiver | 04/14/04
Hmm..  FreeBSD | 04/13/04
Brilliant Solution!  d_jedi | 04/13/04
Have you looked  MkIIISupra | 04/13/04
But...  rpmyers1 | 04/13/04
Well you know..  FreeBSD | 04/13/04
Exactly, autoupdate is VERY misleading.  doe_z | 04/13/04
rpmyers1 think about it  Monkey_MCSE | 04/14/04
True enough  cbradshaw@... | 04/14/04
Uninformed and overexcited  michael-t | 04/13/04
number of patches is a metric for SW maintanence comparisons  oldskool | 04/13/04
other differences you missed...  ryusen | 04/13/04
To automate in *nix simply take the command-line tool and use with cron  Richard Flude | 04/13/04
Linux is close to Perfect but patches are important  cancelled@... | 04/13/04
re: Solaris  cbradshaw@... | 04/14/04
hmmm...  PA-ITGuy | 04/14/04
So far, all 4 identified Critical Updates have...  BitTwiddler | 04/13/04
Press is Press  Thimmeschba | 04/13/04
And car mfg's will have to ship cars with working brakes too!  oldskool | 04/13/04
Where is OJ when we need him most?  jrbeaman | 04/15/04
(NT) Gee, Mr. Eschelbeck, I thought every day was MS patch day ???  Plain Logic | 04/13/04
People use Windows outside of games?  Xunil_Sierutuf | 04/13/04
MSBlast has infected more than 8 million computers?  B.O.F.H. | 04/13/04
* million? Hmm, that's more machines than run Linux.  No_Ax_to_Grind | 04/13/04
And your proud  MkIIISupra | 04/13/04
There is a cost for infected Windows machines!  B.O.F.H. | 04/13/04
How much would it have cost....  ShadeTree | 04/14/04
Problems with latest Windows upgrade  NHNH | 04/14/04
You Should Know Better  Letophoro | 04/14/04
Surprised?  tslocum7 | 04/14/04
SAME PROBLEMS HERE!  srw1@... | 04/14/04
Suggested Fix for future patch problems  Schweizer | 04/15/04
MS willing to leave customers vulnerable (GASP !!! say it ain't so)  Squawkbox | 04/14/04
Much To Do About NOTHING  nikoli | 04/14/04
unfortunately nikoli  Monkey_MCSE | 04/14/04
Oh Please Monkey  nikoli | 04/14/04
pach... ya sure  meetoo | 04/14/04
What An Idiot  nikoli | 04/14/04
RE: Much To Do About NOTHING  cammobus@... | 04/15/04
Were these on my security update CD  Hanover Phist | 04/14/04
re: security update CD  cbradshaw@... | 04/14/04
re: security update CD  crm_z | 04/15/04
Typical  tslocum7 | 04/14/04
M$ Patch May  WhiteSand | 04/14/04
No problems here  itanalyst | 04/14/04
No problems here either!  bunnyman | 04/14/04
Thanks for the VIRUS in the PATCH!  larryrice | 04/14/04
SHop 'em  abcdefghijklmnopq | 04/15/04
Gee. This is such a surprise....HA!  jrbeaman | 04/15/04
writing patches before virus?  hardnoks | 04/15/04
No credibility and no scruples  amanishakhete@... | 04/15/04
Everything's Ok  Krom597 | 04/17/04
The 4 MS "critical patches" are difficult to install.  bphsi | 04/17/04

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and