Microsoft issues patch for its software

By Reed Stevenson

SEATTLE - Microsoft Corp. released on Tuesday a patch for its latest "critical" rated security flaw affecting its Windows, Office and developer tools software programs.

Separately, the world's largest software maker was dealt a setback on Tuesday after the Internet Engineering Task Force decided not to adopt Microsoft's e-mail sender ID standard that would make it easier for Internet providers to block unwanted junk e-mail.

Microsoft, which now releases security bulletins and updates on a monthly cycle, said that its latest software flaw stems from the way its software processes images in the JPEG image format.

Users opening a file or viewing a specific image could be at risk if a hacker exploits the flaw and tries to gain access to a personal computer.

"The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image," Microsoft said in a statement, "There is no way for an attacker to force a user to open a malicious file."

Microsoft launched a campaign in early 2002 to boost the security and reliability of its software, and is due to release a major update to Windows XP next month aimed at improving the security of the company's flagship operating system.

Redmond, Washington-based Microsoft urged users to download and install the patch to prevent any risk that the vulnerability may be exploited. The patch can be found at www.microsoft.com/security.

"The one thing that makes this a bit different is that it affects so many applications," said Craig Schmugar, a virus research manager at McAfee Inc.

The large number of Microsoft programs affected by the vulnerability could make it a tempting target for malicious code writers, Schmugar said.

"Home users should definitely roll this (patch) out as soon as possible," Schmugar said.

Microsoft also released another patch on Tuesday rated "important," affecting software used to convert WordPerfect files within Microsoft Office.

Microsoft combined its Caller ID for e-mail and Pobox.com co-founder Meng Wong's Sender Policy Framework last month for submission to the standards-setting Internet Engineering Task Force.

But a working group within the task force led by Andrew Newton raised issues with Microsoft's patent claims on the technology behind its proposal, saying that license restrictions could make the standard difficult to adopt widely, according a memo posted online by the standards group.

E-mail authentication proposals have been floating around since at least 1998, but experts have given the concept more attention over the past year as spam has exploded to account for up to 83 percent of all Internet traffic.

Microsoft and Wong's proposals were aimed at making it difficult for spammers and scam artists to appropriate the e-mail addresses of others in order to slip through content filters, a tactic known as "spoofing."

But the IETF, citing potential issues of compatibility between Microsoft's patent-protected technology and freely licensed protocols, rejected Microsoft's proposals.