Microsoft Corp. yesterday released an unusually large number of software security updates to fix flaws in its products, some of which could be exploited to remotely take over computers running the Windows operating system.
The free updates, available at Microsoft's Windows Update Web site, are designed to fix at least 21 vulnerabilities, several of which reside on nearly every version of the Windows operating system and affect hundreds of millions of computers.
Microsoft rated seven of the flaws as critical, its most dire warning, saying they could allow attackers to take control of computers when certain Web sites are visited. Three of the flaws are associated with the company's Internet Explorer Web browser.
"I've never seen Microsoft release this many patches at one time," said Darwin Herdman, chief technology officer at RedSiren Inc., a Pittsburgh-based Internet security company.
Some computer experts worried especially about security holes affecting software products mainly used by large and mid-size businesses. Russ Cooper, chief scientist at Herndon-based TruSecure Corp., referred to the patch intended to plug a flaw in Microsoft's Server 2003 operating system and Exchange Server 2003, a program that manages e-mail.
The flaw in Exchange could allow intruders to commandeer machines so they can be used to send spam and "phishing" e-mail scams, Cooper said.
"There are all kinds of bad things you could do with this flaw since Exchange servers are installed in some pretty high-profile companies," he said.
Some users may have already fixed some of the flaws. All of the patches released today that affect Windows XP -- the operating system of choice of more than 200 million home computer users -- were included in Service Pack 2, a massive security update Microsoft released in August. Consequently, XP users who have installed Service Pack 2 only must install two of the patches made available today.
One of those patches covers an Internet Explorer security hole rated "important" by Microsoft. The other is a re-release of a fix Microsoft released last month to mend a problem in the way the Windows operating system and Microsoft Office products process digital image files that could let attackers take control of affected PCs. Hackers have been exploiting the problem to conduct relatively minor attacks for weeks now. Microsoft said it re-issued the patch because it did not install properly on many PCs.
At the time, many security experts criticized Microsoft for not making it clear that people with Office XP installed still had to get another patch from Microsoft's Office Update Web site to be completely protected.
As a result of that criticism, Microsoft agreed to make the patch for Office XP also available on its Windows Update site, said Stephen Toulouse, Microsoft's security program manager.Brian Krebs is a staff writer for washingtonpost.com.