SAN FRANCISCO: Microsoft Corp. warned users of three new security flaws in
its software on Wednesday, including one critical defect that could be exploited
to allow a hacker to gain control of a computer running its Windows operating
system software.
Those warnings took the total of such security bulletins issued by Microsoft
this year to 30. The tally shows the company arguably has made slow progress in
meeting its goal of making its software more secure, about half a year after
making that a top priority.
Microsoft released 60 security bulletins for all of 2001, David Gardner,
security program manager for Microsoft's Security Response Center, said on
Thursday. "The long-term goal is to get these down as low as we possibly
can," he said. "It's a journey, not a destination."
In a rare companywide e-mail in January, Microsoft chairman Bill Gates said
the company's credibility with customers depended on its ability to release
secure software, particularly with regard to its Web services plans. Earlier
this year, Microsoft put many of its developers and engineers through special
security training and said it would scour its code looking for problems.
Although the number of security bulletins appeared to be tracking the number
issued last year that does not mean the company hasn't improved its record,
according to Gardner. "We are seeing effects" of the security
initiative, he said. For example, engineers are finding that they are
discovering many of the security flaws in software before they are reported by
outside researchers, he said.
Although software companies try to catch and fix bugs before products are
released, they typically end up having to release patches for security holes
discovered afterward. "It's gratifying to be working on a patch for
something that's been reported and to find that we already" knew about it,
Gardner said.
New critical flaws
Of the bulletins released this week, several are for vulnerabilities
Microsoft has deemed "critical."
One critical flaw affects users of Windows NT 4.0, NT 4.0 Terminal server
edition, Windows 2000, Windows XP and Windows Routing and Remote Access Server.
A patch has been released that fixes a hole that could shut a system down or
allow an attacker to run malicious code on a computer.
The other two critical vulnerabilities announced this week affect users of
the Internet Explorer 5.01, 5.5 and 6.0 browser versions, Proxy Server 2.0 or
Internet Security and Acceleration Server 2000, as well as Microsoft's instant
messaging and chat programs.
A patch is being developed for the Internet Explorer flaw, which could allow
an attacker to use an old Internet protocol to take control of a victim
computer. The company has issued a temporary solution to protect customers in
the meantime. Microsoft has released a patch for the vulnerability in MSN Chat,
MSN Messenger 4.5 and higher and Exchange Instant Messenger that could allow an
attacker to run malicious code on a victim computer.
There were three other non-critical flaws announced this week, all of which
have patches available. Two flaws affecting Microsoft SQL Server 2000 could
allow an attacker to run code on a target computer.
A flaw affecting Windows NT 4.0 and Windows 2000 users running Internet
Information Server 4.0 and IIS 5.0 could cause the software to fail or allow
unwanted code to be run on the server, the company said.
(C) Reuters Limited.