Information Age: News, analysis & insight for IT & business leaders

14 April 2004 Microsoft has released four new patches to cover 20 security flaws across all current versions of its Windows operating system.

Most of the vulnerabilities, which were announced in Microsoft's latest monthly Security Bulletin, were identified by external sources and experts, rather than the software giant itself. Some of these sources claim they alerted Microsoft to these flaws more than six months ago.

This is believed to be the largest number of security holes to be patched by Microsoft simultaneously since it began its monthly bulletins in October 2003. Only ten other such vulnerabilities have been announced so far this year.

Eight of the 20 flaws are graded 'critical', the highest level of alert, and 16 could be exploited by an attack over the Internet — considered a more significant threat than email-borne viruses as it could enable outsiders to take control of Windows PCs.

However, four patches fix the same kind of Windows vulnerabilities (in the RPC/DCOM components) that allowed the Blaster worm to become one of the most prolific and damaging viruses of 2003.

Another flaw in the Outlook Express emailing software could allow a virus to spread by just clicking on a web link.

Although no virus writers have yet taken advantage of any of these vulnerabilities, the announcement could prompt security threats taking advantage of the notoriously slow adoption of patches, particularly by home users.

Microsoft is trying hard to repair Windows's reputation for insecurity and has increased the number of engineers working on security.

At the end of March, Microsoft founder and chief software architect Bill Gates posted an "executive email" to customers highlighting the company's efforts to improve its update process. At the same time, he acknowledged that "the evolving nature of threats requires a broader, multi-pronged response" than simply releasing patches.