Many credited Microsoft for having made good progress in its efforts to develop a formal strategy for addressing vulnerabilities in the four years since Bill Gates, the company's chairman and chief software architect, announced its Trustworthy Computing initiative in January 2002. But the same isn't true for Oracle Corp. and other vendors that are lagging behind Microsoft when it comes to vulnerability discovery, remediation and disclosure processes, the users and analysts said.

'I think Microsoft has developed a strategy and a vision around security and vulnerabilities that they just didn't have a few years ago,' said Lloyd Hession, chief security officer at BT Radianz, a New York-based provider of telecommunications services to financial firms. 'It's hard to point to a single vendor who is doing a better job.'

Policies for responding to the discovery of security flaws are taking on increased importance as database, application and networking software become more prominent targets of cyberthreats that previously were aimed at operating systems, particularly Windows.

For instance, more than one-third of the top 20 Internet security vulnerabilities listed by the SANS Institute as part of an annual report released in November involved flaws found in application, security and data backup software.

Earlier this week, Oracle released a quarterly roundup of software patches designed to fix 82 vulnerabilities -- many of them rated 'critical' by the company. Cisco Systems Inc. also issued patches this week for several flaws affecting its routers and Call Manager software. And EMC Corp. released patches for its NetWorker backup software to fix security problems that could lead to a system crash or unauthorized remote access.