Last week, Microsoft announced its April 2004 security updates. There are four: MS04-011, MS04-012, MS04-013, and MS04-014. At first glance, four seems relatively minor. However, the first patch alone, MS04-011, covers 11 separate vulnerabilities. In total, the four patches attempt to fix 20 different vulnerabilities that affect all versions of Windows from Windows 98 to XP. If 20 vulnerabilities seems like a high number, understand that this time, when Microsoft started working to resolve one flaw, it exposed another, then another, and so on.

Three patches are "critical"
Microsoft considers three of the four patches critical. One of the more serious flaws addressed by these patches dates back to last October and involves the Remote Procedure Call protocol, which could produce another worm similar to MSBlast. A second flaw affects a type of file used by the Windows 2003 and Windows XP Help and Support Center. A third flaw renders encrypted information--such as online banking or stock trades--open to remote attacks.

This time, it seems that Microsoft decided to get to the bottom of these problems, not just slap on a quick fix to a single problem of the moment.

What's the difference between these flaws and fixes and those in previous patches? This time, it seems that Microsoft decided to get to the bottom of these problems, not just slap on a quick fix to a single problem of the moment. And in doing so, Microsoft has quietly updated four older patches: the Malformed MIME header vulnerability (MS00-082), RPC request can cause service failure (MS01-041), Authentication flaw that could allow unauthorized users to authenticate to SMTP service (MS02-011), Vulnerability in Exchange Server could allow arbitrary code execution (MS03-046). You get extra credit for patching these as well.

But it also appears that Microsoft diligently tested these new patches; single desktop users have so far reported no adverse affects from downloading and applying these patches. That's not to say that system administrators shouldn't do their own testing; they should. But by bundling these flaws, it's far easier to test. After all, 4 patches test faster than 20.

The reverse-engineering threat
Considering that these patches are safe and relatively easy to install, you have no excuse to get patching, and time is of the essence. Whenever Microsoft releases a new patch, criminal hackers, or crackers, will attempt to reverse engineer the patch to see what those patches fix within Windows and how Microsoft went about fixing them. These crackers then write code to exploit the original flaws to their advantage. Often, they're not successful; not every flaw results in a new virus or worm. But when they do crack the code, we get worms such as last August's MSBlast.

Some malicious exploits have surfaced within days of a Microsoft patch announcement.

The time frame for this reverse engineering has shortened. Recently, some malicious exploits have surfaced within days of a Microsoft patch announcement. And full-blown viruses and worms break out, on average, about 30 days after a patch first hits the Net. For example, as of this writing, VeriSign has already found evidence of exploits for the ASN.1 and the Local Security Authority Subsystem Service (LSASS) vulnerabilities. So, right now, the threat clock is ticking on about a dozen new flaws.

More action, not more words
In the past, I've criticized the way Microsoft attempts to downplay flaws, then further obfuscates its security update explanations to mitigate any real danger. But this time around, I applaud the company's newfound determination to get to the root of these vulnerabilities, some of which have been known since late last year.

The downside, of course, is that since last fall, virtually every Windows user worldwide has been vulnerable to a remote attack. Several of the flaws were well known and even publicized on security and hacker newsgroups. At least 6 of 20 allow a remote attacker to take control of a compromised PC.

In the end, though, four patches are easier on the end user, be it a home user or a system administrator responsible for a large number of systems. If that alone gets more people to update their OSs, then I'm glad that Microsoft waited and took the time to get the job done right.

Is this uncharacteristically thorough release a new trend or simply a response to a chorus of security researchers who've criticized Microsoft for taking so long to solve these problems?

Let's see what Microsoft does for us next month.

Got a security question? Let me hear about it!