08:15 AM Sep. 15, 2004 PT
Microsoft released a patch for its latest "critical" rated security flaw affecting its Windows, Office and developer tools software programs, the company said Tuesday.
Separately, the world's largest software maker was dealt a setback after the Internet Engineering Task Force decided not to adopt Microsoft's e-mail sender ID standard that would make it easier for internet service providers to block unwanted junk e-mail.
Microsoft, which now releases security bulletins and updates on a monthly cycle, said that its latest software flaw stems from the way its software processes images in the JPEG format.
Users opening a file or viewing a specific image could be at risk if a hacker exploits the flaw and tries to gain access to a personal computer.
"The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image," Microsoft said in a statement. "There is no way for an attacker to force a user to open a malicious file."
Microsoft launched a campaign in early 2002 to boost the security and reliability of its software, and is due to release a major update to Windows XP next month aimed at improving the security of the company's flagship operating system.
Microsoft urged users to download and install the patch to prevent any risk that the vulnerability may be exploited. The patch can be found here.
The patch affects Microsoft's Windows XP, Office 2003, Project, Visio, Visual Studio and other programs that handle JPEG images.
"The one thing that makes this a bit different is that it affects so many applications," said Craig Schmugar, a virus research manager at McAfee. "Home users should definitely roll this (patch) out as soon as possible."
Microsoft released another patch Tuesday rated "important," affecting software used to convert WordPerfect files within Microsoft Office.
Meanwhile, Microsoft failed to get its e-mail ID standard adopted by the Internet Engineering Task Force. The company combined its Caller ID for e-mail and Pobox.com co-founder Meng Wong's Sender Policy Framework last month for submission to the task force.
But a working group within the task force led by Andrew Newton raised issues with Microsoft's patent claims on the technology behind its proposal, saying that license restrictions could make the standard difficult to adopt widely, according a memo posted online by the standards group.
E-mail authentication proposals have been floating around since at least 1998, but experts have given the concept more attention over the past year as spam has exploded to account for up to 83 percent of all internet traffic.
Microsoft and Wong's proposals were aimed at making it difficult for spammers and scam artists to appropriate the e-mail addresses of others in order to slip through content filters, a tactic known as "spoofing."
But the task force, citing potential issues of compatibility between Microsoft's patent-protected technology and freely licensed protocols, rejected Microsoft's proposals.