NEWS Microsoft has released 10 software security advisories, warning Windows users and corporate administrators of 22 new flaws that affect the company's products.
The advisories and patches published with the bulletins range from an "important" flaw affecting only Microsoft Windows NT Server to a collection of eight security holes, including three rated "critical", that leave Internet Explorer open to attack.
Microsoft's highest severity rating for software flaws is its "critical" ranking, while "important" is considered slightly less severe.
One flaw, in Microsoft Excel, even affects Apple Computer's Mac OS X.
The abundance of flaws could leave corporate PCs vulnerable to attack if administrators are not able to patch quickly. A similar situation occurred in April, when Microsoft published seven advisories detailing 20 flaws. While one security hole stood out among those 20 - and led to the widespread Sasser worm - there are no standouts in the current gaggle of goofs.
"Our challenge is trying to guess what the criminals are going to attack," said Stephen Toulouse, security program manager for Microsoft's security response team. "The guidance we are giving in general is to treat the critical ones first."
A single computer would not be vulnerable to all the flaws, Toulouse added.
Oliver Friedrichs, senior director of Symantec's security response centre, said three vulnerabilities could lead to a Sasser-like worm, but the danger is lessened by the fact that the vulnerable services are not started by default on most versions of Windows.
These flaws are related to three network protocols that are not generally activated on Windows computers: Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), and Network Dynamic Data Exchange (NetDDE).
"Blaster and Sasser targeted core system vulnerabilities, where if you didn't have the patch you were vulnerable," Friedrichs said. "The key thing here is that these are not [generally] enabled by default. The question is how large is the deployment of vulnerable systems."
Microsoft rates the SMTP flaw critical only for Microsoft Exchange Server 2003. The NNTP flaw is rated critical for Microsoft Exchange 2000.
The other major class of flaws are those that affect applications on desktop computers, such as IE and Excel. Threats to so-called client-side applications have been growing, Friedrichs said.
Of the current crop of vulnerabilities, 12 fall into that category. Of these, Microsoft rated five critical: three of the eight vulnerabilities in IE, as well as two flaws in Excel.
Several of the flaws could be used to create Web content that would run a program from the internet, if a victim could be lured to the malicious website.
Symantec raised its overall internet Threat Condition to 2 from 1, on account of the newly released vulnerabilities.
Microsoft has also re-released a patch from last month's graphics vulnerability, fixing a conflict with Windows XP Service Pack 2.
Robert Lemos writes for CNET News.com
Comments
There are 3 comments. Join the discussion
1. Craig
"One flaw, in Microsoft Excel, even affects Apple Computer's Mac OS X."
This makes it sound like OS X is at fault here. Excel is vulnerable, not OS X.
I don't have Excel installed on my Mac, I do have OS X installed on my Mac, but I'm not vulnerable to this flaw. Which piece of software is the problem here?
2. anonymous
This just gives us Mac users another reason to gloat over Windows sufferers. But that's typical isn't it? The only way a Mac can be infected is via a Microsoft product. That's why I don't use ANY.
3. anonymous
So what are Microsoft patching?
I have not as yet, because of stability concerns which make life hard to back -up, installed SP2 on a machine (which I cannot afford to have go down completely right now).
Things are such a mess that I am confused. Heaven help all the average population who cannot understand the basics.
Most of us have other lives to try and lead besides trawling the Microsoft sites for info on fix compatability. Here is the rub and the nub of why it is becoming increasiongly clear that MS products can never be made secure - not in their current incarnations anyway.
And no Microsoft this is not a cue to use pronmises of a future product ('Longhorn'?) being secure just to create a new cash cow.
Microsoft had their chance. They have failed IMHO so I am actively exploring Linux.
It is no good them bleating about others advising about new found security holes (recent buffer overun) are you seriolusly expecting us to believe that you knew nothing about this and were keeping it quiet hoping that it would just go away.
Besides , they wanted the major slice of the cake, they cannot blame anybody but themselves if it is their marketing and development philosophies that has caused the majority of issues to arrise in the first instance.