Microsoft has released its latest batch of security updates to fix four new holes in its software, including three "critical" ones. Reports state the bulletins bring "critical" vulnerabilities to nine in four months, adding gloom to statements by the vendor that corporate sales dipped in the September quarter over security fears.
All the vulnerabilities could allow running malicious code on a user`s PC. Reuters reports that the holes affect Internet Explorer, Windows 2000 and Windows XP (Windows Server 2003 is not affected). The IE hole is rated "moderate" for the Windows Server 2003 platform.
An "important" rating was given to a fourth hole found in Office 97, Office 2000 and Office XP, but again not in the 2003 version. Most of the patches address shortcomings in previous patches or new ways of exploiting old vulnerabilities. The latest security update to fix Internet Explorer flaws replaces a patch issued last month - also cumulative.
Microsoft says no customer has been harmed as a result of the holes, but it has seen discussion on security e-mail lists and elsewhere of ways to take advantage of the IE hole.
Less frequent
Previously, Microsoft regularly released security patches every Wednesday, but recently switched to monthly releases on the second Tuesday of every month. This is the second release of patches under the new monthly cycle.
The change aimed to make it easier for customers to install patches, says Stephen Toulouse, security programme manager for Microsoft`s Security Response Centre. Companies now need extra staff around for the procedure and to restart patched computers once a month rather than weekly, he added.
Microsoft launched an initiative in early 2002 to improve the security of its products, including offering special training for its developers. Last week, the company said it would offer two $250 000 rewards for information leading to the arrest and conviction of whoever is responsible for the Blaster worm and SoBig.F e-mail virus.
Last month, Microsoft reported a dip in corporate contracts during the September quarter due to customer concerns over the security of its products.
Patches can be downloaded at www.microsoft.com/security.
Share