Home > Security

Computerworld - Microsoft Corp.'s monthly patch release cycle may be making it more predictable for users to deploy software updates, but there appears to be little letup in the number of holes being discovered in the company's software.
Microsoft's security updates for October, which were released today, detailed fixes for seven "critical" vulnerabilities and three "important" ones across a wide range of Windows software. In total, today's patches address 20 different vulnerabilities.
A successful exploit of the most severe of these vulnerabilities could allow an attacker to take complete control of an affected system and remotely execute malicious code, Microsoft said.
All of the critical updates, except for one, are already included in the company's recently released Windows XP Service Pack 2. The sole critical update that applies to users already running XP SP2 is a cumulative fix for Internet Explorer detailed in MS04-038 that addresses a wide range of new flaws in the browser program.
Among the critical updates issued today are the following:

• MS04-032: Details fixes for several vulnerabilities in Windows NT, XP and Server 2003. The flaws could allow attackers to take complete control of a system and to view, change or delete data on compromised systems.


• MS04-033: A remote code execution vulnerability in Microsoft Excel that affects users of Microsoft Excel 2000, Microsoft Excel 2002 and Microsoft Excel 2001.


• MS04-34: Details a critical vulnerability in the way Windows processes compressed files.

Other updates released today include one for a critical vulnerability in the Windows SMTP and Exchange Server Routing Engine (MS04-35) and a remote code execution flaw in Windows Shell (MS04-037).
The latest updates continue Microsoft's tendency to combine fixes for multiple problems in a single large patch, said Russ Cooper, an analyst at Herndon, Va.-based TruSecure Corp.
"They should get used to the idea of being snowed under on 'patch Tuesday,' " Cooper said. "They also obviously need to get used to the idea that combined fixes make testing more difficult," he added. Some of the fixes being announced today are also for problems that were discovered several months ago, he noted.
Stephen Toulouse, security program manager at Microsoft's Security Response Center, said the company has been releasing combined fixes in response to user demands.
Whenever multiple flaws exist in the same file, an effort is made to combine the fixes into one update rather than release multiple updates, he said.
"We have heard very clearly from customers that when there is an opportunity to have just one update, that's what they want," Toulouse said.

Read more about Security in Computerworld's Security Topic Center.