February 8, 2005 3:07 PM PST
Microsoft releases 'critical' patches
The software giant announced a dozen updates, eight of which were given its highest severity rating. Microsoft's Office XP, Internet Explorer 6 and an image file component of the Windows operating system for Media Player and MSN Messenger were among the updates dubbed critical.
"This is their second-largest bulletin release since they started doing these monthly updates, except for the 24 bulletins they released last year," said Vincent Gullotto, vice president of the antivirus emergency response team for security specialist McAfee. "But it's common to see this kind of ratio of critical bulletins."
Among the patches is a significant cumulative fix to resolve some of the underlying vulnerabilities of IE that have already been made public. Microsoft said those flaws have not yet been widely exploited.
"There is public exploit code out there for some of the IE vulnerabilities we are patching, but we have not heard of any widespread attacks," said Stephen Toulouse, a Microsoft security program manager.
The update for IE is designed to address vulnerabilities such as an attacker taking control of a system and installing programs; changing, deleting or viewing data; or creating new accounts with full user rights.
IE 6 with Service Pack 1 running on systems featuring Windows XP, with or without Service Pack 1, or Windows 2000 with Service Pack 4 or 3, are affected by this vulnerability.
The scheduled updates come as Microsoft announced plans to acquire security software developer Sybari Software and as it enters its fourth year of its Trustworthy Computing initiative to make its applications more reliable.
The latest flaws add to the many security headaches for businesses. One analyst urged consumers to automatically patch their systems to avoid such exploits but said that for businesses, it's not so easy.
"If I was John Doe consumer, I would have my auto-update turned on so it automatically installs the Microsoft updates," said Mark Nicolett, a Gartner analyst. "But for a corporation, it's not quite so simple. You have to do some level of quality control testing to make sure you're not affecting some of the applications you need to run for business."