Microsoft issues fixes for 20 flaws

[<bleeding_heart>]

Microsoft has acknowledged the existence of 20 vulnerabilities in various versions of its Windows operating systems, Outlook Express and NetMeeting and released patches to plug these holes overnight in the US.

The company has put out four patches to fix all these vulnerabilities, leading some researchers to observe that the casual visitor to the Microsoft security site would come away with the impression that there are just four critical vulnerabilities.

However, Microsoft Australia's security lead, Ben English, said: "We have addressed a number of vulnerabilities across a specific set of functions in the operating system which affects similar files. Patching these together makes more sense as it allows for better code review, testing against different customer scenarios, and improved manageability for our customers."

According to the Secunia security advisory service, the following versions of Windows are affected: Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows NT 4.0 Server, Windows NT 4.0 Server, (Terminal Server Edition), Windows NT 4.0 Workstation, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows XP Home Edition and Windows XP Professional.

Several of the flaws notified to Microsoft by eEye Digital Security were fixed after 215 days. Last year, a critical flaw was fixed after 200 days.

Others who discovered the flaws which were fixed were Internet Security Systems, Carlos Sarraute of Core Security Technologies, Ondrej Sevecek, Jouko Pynnönen, Brett Moore of Security-Assessment.com, Cesar Cerrudo, and Ben Pryor, Erik Kamphuis of LogicaCMG, the NSFOCUS Security Team John Lampe of Tenable Network Security and Foundstone Labs and Qualys.

Several of the flaws are similar to those which were exploited by the MS Blaster worm last year. The first advisory includes 14 vulnerabilities, the second four, and the third one. All are rated critical. The fourth advisory includes one vulnerability which is rated important, the second level on Microsoft's four-point scale.