News

Microsoft Puts Out First Monthly Security Bulletin

• By Scott Bekker
• 10/15/2003

The big group of patches comes less than a week after CEO Steve Ballmer unveiled the new monthly patching program. Previously, Microsoft released security bulletins on Wednesdays, although the software giant often skipped weeks if it had no patches to deliver or released patches on other days of the week if they were urgent enough. Microsoft still reserves the option to release a patch for an especially severe problem at any time.

Official reasons for the new process include a predictable schedule to help customers build Microsoft system patching into their regular IT duties and more time between patches to give customers long enough to evaluate, test and install patches.

"A major benefit of switching to a monthly release cycle for security patches is that it allows customers to install multiple patches with a single install and single reboot," Microsoft added in a white paper on the new process.

Microsoft seems to be betting that making the process more regular and encouraging users to plan on it every month will give legitimate users an edge against hackers. In many cases, the posting of a Microsoft security bulletin has served as the starting line for a race in which IT departments struggle to get their systems patched as hackers hurry to reverse engineer the vulnerability to create exploits that can be dropped into automated attack tools.

After the initial monthly patch on Wednesday, Microsoft plans to hold future regular patching days on the second Tuesday of every month.

Seven New Vulnerabilities

On the first official release date of Microsoft's new patching process, Microsoft put out seven security bulletins. Microsoft has apparently been saving them up for some time. The software giant last published a security bulletin on its regular Wednesday schedule five weeks ago on Sept. 10. Microsoft did put out a special, urgent cumulative bulletin for Internet Explorer a week and a half ago on Oct. 3, however. (See story).

Among the seven bulletins released Wednesday, five dealt with problems in Windows. Four of those were critical problems that could result in an attacker remotely taking control of a user's machine or a server. Another Windows problem that could also allow remote code execution was rated important.

An executive summary of the Windows flaws with links to the individual Windows bulletins and patches was available here.

Microsoft also disclosed two newly discovered flaws in Exchange servers -- one critical, one moderate. Both flaws could result in an attacker gaining control of the server. The summary with links to those security bulletins was available here.