Microsoft Finds 22 New Flaws

It's a bit of a surprise to see such a large number of alerts following so closely on the heels of the release of Windows XP SP2, which was supposed to close many of the holes exposed recently in Windows. Microsoft was careful to point out that the 22 new vulnerabilities are not widely known and have not yet been used in widespread attacks. Still, the bulletins should be a warning to security managers that patch management remains a critical, fundamental function in any security strategy. The frequency of patch deployment isn't stabilizing or slowing--it's increasing.

The bulletins also raise a second, less obvious issue: Many of today's most prevalent exploits come from external attackers who want control over your systems. When a third party takes charge of an enterprise desktop computer, chances are that the intruder doesn't intend to steal data from the workstation, but seeks to use that workstation as a launching pad for other attacks, either on the enterprise servers or on other third-party systems.

Identifying and stopping attacks that use one of your own clients as a launching pad means employing an IDS (intrusion-detection system) that examines all traffic, not just in-bound network traffic at the perimeter. It may also mean enforcing policies for updates and security applications on any client allowed to attach to the corporate network--including those of trading partners and contractors--to minimize the risks from unpatched and unprotected machines.

In the final analysis, Microsoft's latest alerts are more a reminder to keep your guard up than a call to panic. But the real calls for panic will come more and more frequently if the reminders are ignored.