After announcing changes last week to its process for distributing software patches to customers, Microsoft released the first of its monthly bulletins yesterday, with patches for four critical holes in the Windows operating system and one critical flaw in the Exchange email server.
The cumulative security bulletins, one for Windows and one for Exchange, raise the number of security patches this year to 47 and replace the weekly bulletins that Microsoft had been using to inform customers of important software security updates.
For its popular Windows operating system, Microsoft issued updates for two critical problems with Windows components that handle ActiveX controls, small and portable pieces of code that can be inserted into Web pages or programs to perform specific actions.
The company also warned customers about the need to patch two buffer overrun vulnerabilities in Windows.
One buffer overflow was found in the Windows Messenger service, a standard Windows component that allows users on a network to send text messages between machines, much akin to instant messaging.
A second critical buffer overrun vulnerability was found in the Windows Help and Support Center function, which provides Windows users with help and advice on using the product.
Any of the critical Windows flaws that Microsoft identified on Wednesday could be used by malicious hackers to launch remote attacks against vulnerable machines, causing the machine to crash or causing their own attack code to be run on the machine, Microsoft said.
For Exchange Server, Microsoft warned customers about a critical vulnerability in the Internet Mail Service that could enable remote attackers to connect to the SMTP (Simple Mail Transfer Protocol) port on vulnerable machines running Exchange 2000 Server or Exchange Server 5.5 and launch an attack that causes the machine to stop running or to run attack code.
In addition to the five critical issues for Windows and Exchange, Microsoft disclosed two other vulnerabilites, one for Windows that was rated "Important", and one for Exchange that was rated "Moderate".
The cumulative bulletins come just days after Microsoft chief executive officer Steve Ballmer announced a slew of new security initiatives to protect customers from what he called a "wave of criminal attacks". The decision to shift from weekly to monthly security bulletins was part of that effort and was made in response to complaints from Microsoft customers about the difficulty of staying on top of the weekly releases, Microsoft said.
The company said it reserves the right to release bulletins at any time, however, and will do so when it feels customers are in imminent danger of being exploited because of a known software vulnerability, Microsoft said.