Microsoft warns of 22 new security flaws

Microsoft on Tuesday published 10 software security advisories, warning Windows users and corporate administrators of 22 new flaws that affect the company's products.

The advisories, and patches published with the bulletins, range from an "important" flaw affecting only Microsoft Windows NT Server to a collection of eight security holes, including three rated "critical," that leave Internet Explorer open to attack. Microsoft's highest severity rating for software flaws is its "critical" ranking, while "important" is considered slightly less severe.

One flaw, in Microsoft Excel, even affects Apple Computer's Mac OS X.

The abundance of flaws could leave corporate PCs vulnerable to attack if administrators are not able to patch quickly. A similar situation occurred in April, when Microsoft published seven advisories detailing 20 flaws. While one security hole stood out among those 20--and led to the widespread Sasser worm--there are no standouts in the current gaggle of goofs.

"Our challenge is trying to guess what the criminals are going to attack," said Stephen Toulouse, security program manager for Microsoft's security response team. "The guidance we are giving in general is to treat the critical ones first."

A single computer would not be vulnerable to all the flaws, Toulouse added.

Oliver Friedrichs, senior director of Symantec's security response center, said three vulnerabilities could lead to a Sasser-like worm, but the danger is lessened by the fact that the vulnerable services are not started by default on most versions of Windows. These flaws are related to three network protocols that are not generally activated on Windows computers: Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), and Network Dynamic Data Exchange (NetDDE).

"Blaster and Sasser targeted core system vulnerabilities, where if you didn't have the patch you were vulnerable," Friedrichs said. "The key thing here is that these are not (generally) enabled by default.The question is how large is the deployment of vulnerable systems."

Microsoft rates the SMTP flaw critical only for Microsoft Exchange Server 2003. The NNTP flaw is rated critical for Microsoft Exchange 2000.

The other major class of flaws are those that affect applications on desktop computers, such as Internet Explorer and Excel. Threats to so-called client-side applications have been growing, Friedrichs said.

Of the current crop of vulnerabilities, 12 fall into that category. Of these, Microsoft rated five critical: three of the eight vulnerabilities in Internet Explorer, as well as two flaws in Excel.

Several of the flaws could be used to create Web content that would run a program from the Internet, if a victim could be lured to the malicious Web site.

Symantec raised its overall Internet Threat Condition to 2 from 1, on account of the newly released vulnerabilities.

Microsoft has also re-released a patch from last month's graphics vulnerability, fixing a conflict with Windows XP Service Pack 2.

[Jonathan]

Well I guess I know what I'm doing the rest of this week end weekend

Thanks MS you brainless, incompetent idiots.

Will MS pay for the overtime I'm going to be working to scramble to patches these systems? ***holes.

[itsnotyourbaby]

You must be slow

After I read this article, I did the Windows Update... few minutes later it was done. EASY!
Are you really that bored that when you do a Windows Update you watch the bytes download?
Stop complaining.

[catchall]

You have got to be kidding

As an administrator for a small company (about 80 PC?s, 10 Macs, mostly boxed software but a few in-house apps/modifications), I think I?m about done already, and I just read the article at 10:00PM OCT12( its now 10:30PM). Auto-update on the PC?s means I just need to go around tomorrow and make sure all the patches were applied successfully. While there are way I could find this out from my desktop, I find it a good idea to meet with and talk to the users, answer any questions, and see if anything else needs to be done. There are only a few exceptions, most notably the aging Siebel Server that requires NT4 server. So I will need to get in at 8:30AM, download anything manually, and reboot before folks show up. Oh, the horrors!

[itsnotyourbaby]

Think Different

If you are were efficient administrations, you would have used tools such as GFI LANguard or Microsoft SUS push out the patches to all the systems at once! Patching one PC at a PC is soooo 1999.

Also, if you got paid to install patches, why would you complain? Isn?t it easy work or would you rather try to recovery a physical hard drive failure instead?

I used the 'patch' and my PayPal NOW WORKS !!!

I used the 'patch' and my PayPal NOW WORKS !!!

HMMMMM...
PayPal outage ? or security flaws ?

[Steven N]

Cheer and joy

We'll start seing comments here from people who will tell us that we are all crybabies. And they will try to make us believe that M$ is doing such a good job of protecting our systems.

<rant>
Just as a notice to those people: NO M$ IS NOT DOING A GOOD JOB! NEVER DID, NEVER WILL. If they were doing a good job, then there wouldn't have to be any patches at all!
Don't complain that the biggest player always gets most of the wind. M$ wanted to be the biggest player. They broke the law to become the biggest player. If they didn't want the wind, then they should have known better that to release bug ridden software. Or stayed low profile.
The only thing M$ is good at, is to destroy cometition by illegal means, and throw junk at their customers.
However, what we are seeing as a result of their rubbish is that other companies can make a living by working on M$ incompetence. This can be good for economics, but it is such a waste of energy. If all those programmers that are wasting their time on fixing M$ junk would be doing something really usefull, then we would see some real innovation going on.
</rant>

[Earl Benser]

Give M$ a Break....

Innovation is a concept M$ doesn't really understand. When they
realize that the market is beginning to leave them behind, they
buy (or whatever) any product that can be quickly fixed to carry
the M$ label and fill the gap. That approach is guaranteed to
leave all sorts of problems, but it pumps the M$ bottom line
with the least amount of time and investment.

If you do business with M$, you have to recognize how M$
works. And you have to quit complaining. M$ isn't going to get
any better. As long as large numbers of computer users
continue to think that the M$ approach to software design is
good, there is no reason for M$ to change.

[Earl Benser]

Woudn't you know.....

... To get the relevant updates, you have to use IE. I have trashed
IE (plus OE and ActiveX) to eliminate their security risks and
substandard performance. But M$ says that FireFox and Opera
just won't work. It has to be IE !

That's a bummer. I'm not activating IE for ANY reason, so M$'s
updates are a gross waste of time.

[David Arbogast]

Translation

Translation: I bought (or stole) a product that I use every day along with 80% of the world's computer users. But since there is a crowd of almost 7% of the operators who hate IE, I have jumped on that bandwagon and refuse to use IE under any circumstances. Since IE is part of the product I bought, eliminating it also eliminates my access to product improvements. I have found my utopia... a system with known flaws, and an attitude that keeps me from getting them fixed. I'll be able to complain until the day I die...

[lewissalem]

Windows Media Player...

..used to be good and stable. Now it's a hunk of junk! Ahhh! Why can't you download codecs and install them properly! And you can't remove the damn applcation, you can only "roll back" to an old version.

[David Arbogast]

MediaPlayer

Where did that come from?

Oh well... MediaPlayer has always worked fine for me. I prefer WinDVD for DVD playback, and an old version of WinAmp for MP3s, but MediaPlayer has never given me problems... Sure beats the heck out of RealPlayer and QuickTime.

[pjonesCET]

Microsoft warns of Critical system flaws

Its noted in the article that all the falws were described except the Excel Mac flaw. While we Mac users are a small part of the Computing world we are not chopped liver. you could have at least described that flaw as well. Now I have to findout whether I need to update my "Office2004" or even if a update is coming.

[Thomas, David]

What else is new?

Can't cry if we think that Microsoft is the right-choice to base
our enterprise systems on. Those who know me, know that I
have made this argument for nearly 20 years.

What on earth do you expect from a company that based its
original OS modifications on back-doors and holes designed to
disable competitive software?

These are not accidental flaws, or security holes. Someone had
to write these capabilities into the software and they are just
being exposed. Going forward, the mindset never changed, so
they could not recognize this ill-fated approach.

So the mediocrity continues, what else is new?! ...

[lwolfaje51]

Goody--wonderful

If Microsoft keeps on I will have to buy a new Hard Drive just for my programs,since they are going to fill up the 80gb hard drive that came in the pc--I can hardly wait--EGADS.....AJE

I used the 'patch' and my PayPal NOW WORKS !!!

I used the 'patch' and my PayPal NOW WORKS !!!

HMMMMM...

PayPal outage ? or security flaws ?

[anthonycea]

Don't wait, get help today!

Get help today, don't wait around for M$ to solve your problems.

If you own a PC, see the following URL for help on Anti-virus software, free anti-spyware download links and more

http://searchwars.squarespace.com/free-software-downloads/

Or you can buy a MAC and put an end to your Microsoft nightmare!

[itsnotyourbaby]

Good one David!

Good one David!

[Steven N]

Well...

You sound more and more to a manager to me...

Here's my view on the economics of a small company.

A boss of a small company (with eg. 20 PCs) is struggling to get his company alive, and wants to make sure his personnel gets paid at the end of the month. Having to pay for another M$ license to install a "free" tool like SUS is just overhead for that company. Neither would he have the resources to keep the system properly maintained.

If he wants to make sure his system is secure by changing the way his people are using their PC's (e.g duping IE and Outlook), then he is still required to use this piece of Internet Expoiter. See some of the comments below, you know them.

In a company IT is considered to be a money pit because of all this junk. And it is a prejudice that is confirmed every time again...

[Steven N]

It's for you Mr Arbogast

Regards

[David Arbogast]

try logic Mr. Nijs

Your biggest mistake is to assume that dumping IE and Outlook somehow makes the entire infrastructure secure. Regardless of the OS and browser you choose, you will absolutely have to upgrade, patch, and secure systems on an ongoing basis. The question is... whether it is more economical to do this one machine at a time, or to update machines globally from a centralized location.

Anybody with half a day's experience knows that you estimate the cost of patching manually, and compare it to the estimated cost of an automated patch system. The lower cost solution wins.

So... figure that an IT employee will cost a company at least $50/hour (with benefits). Now, how many hours of patching does it take to equal the cost of a single server license? A person running a small business will quickly identify the most economical solution.

So maybe I do sound like a manager to you. If that is the case, then I am a manager who is fiscally responsible and will keep my company alive and employing IT workers for many years to come. You are welcome to waste your company's money with an anti-Microsoft attitude that raises the cost of security.