Microsoft patches spell happy holidays

Microsoft managed to give a small holiday gift to network administrators this month: No critical patches.

The software giant released five patches to fix nine issues in its Windows operating systems on Tuesday, with none of the security holes rated as a serious threat. Microsoft warned last week that the fix would be coming.

"All the flaws have something about them that makes it more difficult for an attacker to exploit them," said Stephen Toulouse, a security program manager in Microsoft's security response center.

Earlier this month, Microsoft issued an unscheduled critical patch for Internet Explorer. It plugged a security hole that opened PCs with the Web browser up to attack by online fraudsters.

The five December advisories are the last fixes scheduled for release this year. If the company does not release any more security bulletins this month, it will have released 45 patches in 2004, down from 51 in 2003.

Those numbers do not necessarily indicate that Microsoft has made progress in its fight against security vulnerabilities. The company frequently releases a single patch to correct multiple flaws, and in some cases, it quietly fixes additional problems without mentioning the issues in its advisories. In April, for example, it delivered four fixes to patch a score of issues, and in October, it issued 10 advisories to fix 22 flaws.

The current issues include problems with a format converter in WordPad software; flaws in the Microsoft implementation of Dynamic Host Configuration Protocol (DHCP), a standard for configuring small networks; an issue in the HyperTerminal application; and vulnerabilities in the Windows kernel. They also address two problems with the Windows Internet Naming Service (WINS) that were publicized last month.

The fixes variously affect a number of Windows operating systems. The latest version of Windows XP, known as Service Pack 2, requires three patches. For the most part, the effect of the nine flaws in the advisory was limited by the security updates in SP2, Microsoft's Toulouse said.

"We are seeing some indications that it is more resilient," he said.

Microsoft has recommended that all Windows XP users upgrade to Service Pack 2, which adds security features to Windows and removes applications that pose potential security risks. The patch can be downloaded through the Windows Update service, which can be started from the Windows Control Panel.