Microsoft issued four patches today that fix at least 20 flaws in various Windows versions. Three of the patches are rated critical--the company's highest warning level--because they fix problems that could potentially lead to virus or worm attacks. The fourth patch is rated important. The patches constitute April 2004's monthly security updates, Microsoft says.
The largest of the four patches covers 14 security flaws, including a problem with the Help and Support module in Windows XP and a flaw in the Windows Metafile Format (WMF). At least 6 of the 14 flaws could let a malicious attacker remotely take control of a Windows computer, according to documentation the company released.
In an odd move, Microsoft admitted that it waited months to patch some of the problems so that the company could release a single, more comprehensive patch, leading some security experts to question whether Microsoft's goal of monthly security patches is a good idea. eEye Digital Security Cofounder Marc Maiffret said that his company discovered some of the flaws as long ago as September 2003. "There are definitely going to be attacks that come from this, just because of the \[critical nature\] of the vulnerability," he said.
However, some security gurus are warming to Microsoft's security strategy, noting that less-dangerous vulnerabilities don't need to be patched right away, especially if those vulnerabilities aren't widely known. Microsoft representatives echoed this sentiment: If attackers had been exploiting the flaws, the company would have responded faster. Other security experts noted that most of the flaws Microsoft patched this month were derivatives of earlier flaws. In other words, after a flaw is found, attackers and security researchers tend to concentrate on that weakness and often find other related flaws.
Most Windows users can protect themselves by using their systems' built-in Automatic Updates and Microsoft Windows Update services. But if you want more information about the patches or would like to manually download them, visit the Microsoft Security Web site.