Microsoft releases monthly security fixes

Microsoft released its first monthly security update on Wednesday, following a new schedule that attempts to ease the load on overburdened system administrators.

The first update consists of five vulnerabilities deemed "critical" by the software giant, the top rating that Microsoft assigns to security flaws. The ranking is used to designate security flaws that could allow online vandals to take control of a user's computer or create an Internet worm that could spread from system to system.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"All of the five critical (vulnerabilities) are, of course, critical, so that means they are wormable," said Jeff Jones, senior director of Microsoft's security business unit.

Three of the critical flaws affect all of the Windows operating systems currently supported by Microsoft, including various editions of Windows NT, Windows 2000, Windows XP and Windows Server 2003. Another critical flaw affects only Windows 2000, and the fifth such flaw affects Microsoft's Exchange Server 5.5 and Exchange 2000 Server products. More information on the flaws--numbered MS03-041 to MS03-047--can be found on Microsoft's security Web page.

The software giant's move to a monthly from a primarily weekly patch release schedule is a major change for system administrators bogged down by a to-do list of fixes to apply to Windows computers. Microsoft believes the new schedule will help administrators deal with the workload. The software giant's CEO, Steve Ballmer, said that the monthly schedule will help companies prepare to patch computers.

"We will now go to monthly patches--no more than monthly," he told attendees at the recent Microsoft Worldwide Partner Conference. "That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times."

Microsoft revealed several other security initiatives at the event, including a reduction in the ways that administrators get patches, better consumer education, and improving the default security of its products.

While Jones recommended that administrators examine all the advisories, he said that one flaw in the messenger service that allows Windows applications to talk to each other--not to be confused with Microsoft's instant messaging application--should be taken care of immediately.

"I would advise them (administrators) to take the mitigation step of turning off that service and, of course, apply the patch," he said.

Windows users can automatically check their systems for necessary updates using Microsoft's Windows Update. More information can be found on Microsoft's Protect Your PC page.