Microsoft fixes 20 Windows flaws

Microsoft has released fixes that cover at least 20 Windows flaws, several of which could make versions of the operating system vulnerable to new worms or viruses.

At least six of the flaws could make the OS susceptible to programs similar to the MSBlast worm and its variants, which have infected more than eight million computers since last August. Another flaw affects a common file used by Internet Explorer, Outlook and Outlook Express and opens the way for the type of virus that executes when PC users click a specially crafted web link.

The software giant released four patches to cover the 20 security issues, as part of its monthly update schedule. Microsoft wouldn't comment on the level of risk the flaws present, instead maintaining that companies that apply the fixes won't be in danger.

Stephen Toulouse, security program manager for the Microsoft Security Response Center, said: "If you are running a personal firewall, you are at reduced risk from a lot of these vulnerabilities. But we are absolutely taking this seriously."

The largest patch, MS04-011, fixes at least 14 security flaws. A security hole in the Help and Support Center affects both Windows 2003 and Windows XP. Another flaw in the Windows Meta File image format could allow an attacker to create a digital picture file that could take control of a Windows NT, 2000 or XP computer. At least six of the 14 flaws could result in a remote user taking control of a Windows computer.

Toulouse said that instead of taking a piecemeal approach, Microsoft waited to release some patches so it could present a more comprehensive set of fixes. "Rather than shipping the same files over three months, we are trying to provide customers one update that has all the fixes," he said.

However, some security researchers took the software giant to task for waiting to release a particular patch that covers many of the flaws. Microsoft's strategy, they said, was keyed more toward public relations than customer convenience.

Marc Maiffret, chief hacking officer for eEye Digital Security, said: "These releases confirm a trend that has been happening with Microsoft security lately - that they are willing to leave customers vulnerable for long periods of time, all in order to try to bundle security fixes, which leads to the [impression] of having less vulnerabilities. This is completely unacceptable."

eEye Digital Security found six of the flaws Microsoft reported on Tuesday. The company urged Windows users to update their systems as soon as possible. Maiffret has previously criticised Microsoft for taking as long as 200 days to fix flaws. He said Microsoft took as many as 216 days to fix the latest set of flaws.

Other security researchers were less critical of the software giant.

Gerhard Eschelbeck, chief technology officer for vulnerability assessment company Qualys, said: "You can't generalise that Microsoft takes too long to fix flaws. It depends on where the flaw is in the code."

Robert Lemos writes for News.com