After announcing changes last week to its process for distributing software patches to customers, Microsoft released the first of its monthly bulletins on Wednesday, with patches for four critical holes in the Windows operating system and one critical flaw in the Exchange e-mail server.
The cumulative security bulletins, one for Windows and one for Exchange, raising the number of Microsoft security patches this year to 47, replace the weekly bulletins that the company had been using to inform customers of important software security updates.
For Windows, Microsoft issued updates addressing two critical problems with Windows components that handle ActiveX controls--small, portable pieces of code that can be inserted into Web pages or programs to perform specific actions.
Patching the Problem
The company also warned customers about the need to patch two buffer overrun vulnerabilities in Windows.
One buffer overflow was found in the Windows Messenger service, a standard Windows component that allows users on a network to send text messages between machines in much the same way as instant messaging.
A second critical buffer overrun vulnerability was found in the Windows Help and Support Center function, which provides Windows users with help and advice on using the product.
Any of the critical Windows flaws that Microsoft identified Wednesday could be used by malicious hackers to launch remote attacks against a vulnerable PC, causing the machine to crash or causing their own attack code to run on the machine, Microsoft said.
For Exchange Server, Microsoft warned customers about a critical vulnerability in the Internet Mail Service that could permit remote attackers to connect to the SMTP (Simple Mail Transfer Protocol) port on a vulnerable machine running Exchange 2000 Server or Exchange Server 5.5 and launch an attack that causes the machine to stop running or to run attack code.
In addition to the five critical issues for Windows and Exchange, Microsoft disclosed two other vulnerabilites--one for Windows that was rated "Important," and one for Exchange that was rated "moderate."
The cumulative bulletins come just days after Microsoft CEO Steve Ballmer announced a slew of new security initiatives to protect customers from what he called a "wave of criminal attacks." The decision to shift from weekly to monthly security bulletins was part of that effort and was made in response to complaints from Microsoft customers about the difficulty of staying on top of the weekly releases, Microsoft said.
The company said that it reserves the right to release bulletins at any time, however, and will do so when it feels customers are in imminent danger of being exploited because of a known software vulnerability, Microsoft said.
Microsoft has tried to release bulletins on Wednesday in recent months. But under the new regime, future monthly updates will be targeted for release on Tuesday, a company spokesperson said.