Microsoft Corp. released eight security fixes Tuesday that carry its highest threat rating and urged computer users to install them quickly because all the vulnerabilities they address could let attackers take complete control of systems.
Seven of the security vulnerabilities Microsoft marked "critical" affect the Windows operating system and related software, including the Internet Explorer browser, media player and instant messaging program. The eighth is with the Redmond software maker's Office XP business software. The patches can be downloaded at http://www.microsoft.com/security .
(MSNBC is a Microsoft - NBC joint venture.)
Microsoft also released four security fixes that carry lesser threat levels, but the problems could still let attackers gain some control of a system.
"This is a month that has a significant number of updates for customers to deploy," conceded Stephen Toulouse, a Microsoft security program manager.
But he said the company works to make fixes available as soon as it has them.
Toulouse said anyone running any version of Windows will need to install at least one of the updates. Many of the fixes also apply to Service Pack 2, the massive security upgrade for Windows XP that was released this summer.
Cumulative update for IE
Among the fixes is a particularly important cumulative update for the Internet Explorer browser. It includes patches for vulnerabilities that have already been made public.
Toulouse said some people have figured out how to exploit some of those security holes, though the company hasn't seen widespread attacks yet. Nonetheless, he said, attackers have a head start, so these flaws could be exploited much more quickly than others.
Another critical vulnerability could let an attacker take control of a computer by tricking the user into viewing a particular image, perhaps through the company's MSN or Windows Messenger or its Windows Media Player. The flaw takes advantage of imaging technology called "PNG Processing."
Vincent Gullotto, a vice president with security software maker McAfee Inc., said his researchers were especially concerned about a critical flaw in some Windows server software because that problem could create a worm-like attack that spreads with little interaction from users.
The large number of security updates could cause problems for big businesses, which must rush to secure their employees' computers while making sure that the updates don't harm regular business operations. Toulouse said Microsoft would offer extra support for business customers to deal with the mass of fixes.
The monthly fixes came as Microsoft announced plans to acquire security software maker Sybari Software Inc. as part of efforts to produce and sell its own security products.
Microsoft's software is a frequent and popular target for Internet-based attackers, and the company has made security a priority amid increasing hassles for business and consumer users.