By Brian Krebs
Special to The Washington Post
Friday, October 13, 2006; D01
The cat-and-mouse game that Microsoft Corp. and hackers have been playing for years escalated this week, just as the software giant was addressing some of the biggest problems facing computer users.
On Tuesday, the company released a record 26 security fixes for the Windows operating system and the widely used Office programs such as Word, Excel and Outlook. Yesterday, hackers pounced again, posting on the Internet information about vulnerabilities in PowerPoint 2003, one of the Office programs widely used by business customers and increasingly used by students.
Microsoft, whose products are the largest targets of hackers because its products are used on most computer systems, issues software updates to protect users' computers from the viruses, worms and spyware that are spread through their products via e-mail attachments and the Web.
But because those patches are released on a regular schedule -- the second Tuesday of each month -- the people who expose and exploit the vulnerabilities in the programs tend to wait until a day or so after the monthly release to reveal other vulnerabilities they have discovered.
A company spokesman said there have been no known attacks that exploit the PowerPoint 2003 vulnerability and that it will offer guidance to customers as needed. But that doesn't necessarily mean that the company will offer an out-of-cycle software update.
Only twice this year, in January and again two weeks ago, has the company released a patch early. In both cases, the out-of-cycle patches were offered after some users wrote their own and encouraged others to download and install them.
Microsoft said the monthly update is most effective.
"We used to release security bulletins weekly and customers gave us very clear feedback that they preferred a monthly release schedule so they could have adequate time between releases for testing and deployment," said Christopher Budd, a security program manager at Microsoft. "Based on our customers' strong preference, we moved to a monthly release cycle."
Of the updates released this week, 16 were specific to Office and most addressed critical flaws in Office 2000, a predecessor to Office 2003 and still in wide use. Only the two widely publicized "service packs" for Windows XP, which are major updates that users are strongly encouraged to download and install, contained more fixes.
The company hopes that some of its security problems will be reduced when it releases a new version of its Web browser, Internet Explorer, this month. The browser for years has been the target of hackers, whose exploits filled screens with pop-up ads and exposed computers to viruses, worms and spyware.
Microsoft also has been working to address some of its biggest security issues in Windows Vista, the newest version of the Windows operating system, scheduled for release by January.
The 44 security updates to Office this year, compared with six last year, highlight the need to update the suite of programs. The company is working on Office 2007 and is offering a preview at http://www.microsoft.com/office .
Downloads of Microsoft's software patches are available at http://www.microsoft.com/updates .
Brian Krebs is a reporter for washingtonpost.com. His Security Fix column can be found athttp://www.washingtonpost.com/securityfix.