At least six of the flaws could make the OS susceptible to programs similar to the MSBlast worm and its variants, which have infected more than 8 million computers since last August. Another flaw affects a common file used by Internet Explorer, Outlook and Outlook Express and opens the way for the type of virus that executes when PC users click a specially crafted Web link.
The software giant released four patches to cover the 20 security issues, as part of its monthly update schedule. Microsoft wouldn't comment on the level of risk the flaws present, instead maintaining that companies that apply the fixes won't be in danger.
"If you are running a personal firewall, you are at reduced risk from a lot of these vulnerabilities," said Stephen Toulouse, security program manager for the Microsoft Security Response Centre. "But we are absolutely taking this seriously."
The largest patch, MS04-011, fixes at least 14 security flaws. A security hole in the Help and Support Centre affects both Windows 2003 and Windows XP. Another flaw in the Windows Meta File image format could allow an attacker to create a digital picture file that could take control of a Windows NT, 2000 or XP computer. At least six of the 14 flaws could result in a remote user taking control of a Windows computer.
Toulouse said that instead of taking a piecemeal approach, Microsoft waited to release some patches so it could present a more comprehensive set of fixes. "Rather than shipping the same files over three months, we are trying to provide customers one update that has all the fixes," he said.
However, some security researchers took the software giant to task for waiting to release a particular patch that covers many of the flaws. Microsoft's strategy, they said, was keyed more toward public relations than customer convenience.
"These releases confirm a trend that has been happening with Microsoft security lately -- that they are willing to leave customers vulnerable for long periods of time, all in order to try to bundle security fixes, which leads to the [impression] of having less vulnerabilities," said Marc Maiffret, chief hacking officer for eEye Digital Security. "This is completely unacceptable."
eEye Digital Security found six of the flaws that Microsoft reported on Tuesday. The company urged Windows users to update their systems as soon as possible. Maiffret has previously criticised Microsoft for taking as long as 200 days to fix flaws. He said Microsoft took as many as 216 days to fix the latest set of flaws.
Other security researchers were less critical of the software giant.
"You can't generalise that Microsoft takes too long to fix flaws," said Gerhard Eschelbeck, chief technology officer for vulnerability assessment company Qualys. "It depends on where the flaw is in the code."
Qualys found two of the flaws that Microsoft announced on Tuesday. A flaw in a networking code library common to many versions of Windows only took the giant two months to fix, said Eschelbeck. Microsoft had practice, since another flaw had been found in that same library by eEye Digital Security in February.
"A lot of the flaws in this release are derivative of ones that we have seen before," said Qualys' Eschelbeck. "Typically, someone finds a flaw in a particular area and a lot of researchers start looking in that code."
That also happened with the flaw that lead to the MSBlast worm. A second, similar flaw was found in October, but it took Microsoft until now to fix it.
Overall, Eschelbeck believes that the software giant is doing the right thing by releasing a single patch for all the flaws that affect the same software components, rather than quickly releasing the fixes one at a time. Qualys had previously found that it takes at least 30 days for half of the vulnerable companies on the Internet to fix the most critical flaws. Easing the pain of patching is important, he said.
"It's a single patch on a scheduled day," he said. "Everyone knows today is Microsoft patch day. I think this is the right thing to do."
Eschelbeck recommended that companies apply at least the first patch from Microsoft by the end of the week.
Information on the four patches can be found on Microsoft's Web site.
Talkback
...but you can't get the patches because MS machines are totally overwhelmed by everyone trying to update at the same time.Perhaps spreading out the updates wasn't such a bad idea after all..?
Don't install Hotfix 835732 on Windows 2000 SP4.
After restart it will use 100% CPU and you will have to wait for 30 minutes just to login!.
The only way to fix this is to wait and run a command prompt and uninstall it.
Removal Information
To remove this update, use the Add or Remove Programs tool in Control Panel.
System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
I agree with Chris Leigh. I have spent all morning trying to patch.
Better that vulnerabilities are patched timeously rather than advertised over long periods of time to be exploited.
Monthly releases of patches are a bad idea from the security and (non-M$) commercial point of view
Security patches from MS installed overnight (4-15-04) on corporate lan machines. Many users now reporting that the History files have disappeared and are wiped clean each time IE browser is closed.
this behaviour of the system process to use 100% kernel mode time is independent of the service pack on w2k; but it happens not on all machines. To uninstall, don't wait, just cut off and reboot in save mode and uninstall there, this is much faster than waiting.
This happened to me too and I tried uninstalling the Hotfix 835732 just like you said. I left it running all night and it did not finish. I had to completely reinstall Windows 2000.
I was not very happy.
On our Win 2000 Pro machines installing the 835732 patch casued the machines to boot to a 'blue screen of death'. Rebooting to the Last GOod Configuration allowed us to unistal the patch and restore use of the machine.