Microsoft issues patches for 21 software flaws

'Critical' vulnerabilities could allow attackers to gain complete control

Iain Thomson, vnunet.com 13 Oct 2004

Microsoft has released 10 security patches for 21 weaknesses, in the company's largest security bulletin of the year.

The seven 'critical' and three 'important' patches variously affect versions of Windows, Internet Explorer, Windows Server 2003 and Excel.

All the critical flaws allow attackers to gain complete control over infected systems, turning them into 'zombie' machines to send out spam.

In one instance, a malicious programmer could instruct a computer to use all its available memory, forcing users to restart.

Microsoft has also re-released last month's patch for the vulnerability in its JPEG handling software.

"This is going to take a little time to patch properly but the results will be beneficial," said Professor Neil Barrett of Cranfield University's computer science department.

"As part of the monthly schedule, enterprises will be ready to install and update the IT infrastructure."

Microsoft said that all the critical updates in this month's release are already included in Windows XP Service Pack 2.

Customers running XP SP2 who have enabled Automatic Updates will automatically receive the sole update that applies.

Those users with Windows XP SP2 are unaffected by any of the critical patches but will have to do some repair work. Patch 38 is only rated as important for SP2 users, while for the rest it is critical.

"There's no great reason for the amount [of patches]," said Simon Conant, Microsoft's security programme manager. "To reduce the impact of any class of problem is the purpose of Service Pack 2."

See also: