Microsoft Warns of New Security Flaws
Thu Jun 13, 4:47 PM ET
FRANCISCO (Reuters) - Microsoft Corp. warned users of
three new security flaws in its software on Wednesday,
including one critical defect that could be exploited
to allow a hacker to gain control of a computer
running its Windows operating system software.
warnings took the total of such security bulletins
issued by Microsoft this year to 30. The tally shows
the company arguably has made slow progress in meeting
its goal of making its software more secure, about
half a year after making that a top priority.
Microsoft released 60 security bulletins for all of
2001, David Gardner, security program manager for
Microsoft's Security Response Center, said on
long-term goal is to get these down as low as we
possibly can," he said. "It's a journey, not a
In a rare companywide e-mail in January, Microsoft
Chairman Bill Gates (
said the company's credibility with customers depended
on its ability to release secure software,
particularly with regard to its Web services plans.
this year, Microsoft put many of its developers and
engineers through special security training and said
it would scour its code looking for problems.
Although the number of security bulletins appeared to
be tracking the number issued last year, that does not
mean the company hasn't improved its record, according
seeing effects" of the security initiative, he said.
For example, engineers are finding that they are
discovering many of the security flaws in software
before they are reported by outside researchers, he
Although software companies try to catch and fix bugs
before products are released, they typically end up
having to release patches for security holes
gratifying to be working on a patch for something
that's been reported and to find that we already" knew
about it, Gardner said.
bulletins released this week, several are for
vulnerabilities Microsoft has deemed "critical."
One critical flaw affects users of Windows NT 4.0, NT
4.0 Terminal server edition, Windows 2000 (
Windows XP (
and Windows Routing and Remote Access Server. A patch
has been released that fixes a hole that could shut a
system down or allow an attacker to run malicious code
on a computer.
The other two critical vulnerabilities announced this
week affect users of the Internet Explorer 5.01, 5.5
and 6.0 browser versions, Proxy Server 2.0 or Internet
Security and Acceleration Server 2000, as well as
Microsoft's instant messaging (
and chat programs.
is being developed for the Internet Explorer flaw,
which could allow an attacker to use an old Internet
protocol to take control of a victim computer. The
company has issued a temporary solution to protect
customers in the meantime.
Microsoft has released a patch for the vulnerability
in MSN Chat, MSN Messenger 4.5 and higher and Exchange
Instant Messenger that could allow an attacker to run
malicious code on a victim computer.
were three other non-critical flaws announced this
week, all of which have patches available. Two flaws
affecting Microsoft SQL Server 2000 could allow an
attacker to run code on a target computer.
affecting Windows NT 4.0 and Windows 2000 users
running Internet Information Server 4.0 and IIS 5.0
could cause the software to fail or allow unwanted
code to be run on the server, the company said.