News

7 Microsoft Security Bulletins Updated

• By Scott Bekker
• 10/24/2003

Two of the bulletins were revised for serious problems. A Windows patch for a vulnerability rated "important" broke applications in some non-English versions of Windows. An Exchange patch was revised to include some language versions not included in the original patch. The other five bulletins had minor updates for informational problems in the bulletins or incorrect URLs for patches.

All of the patches were originally issued on Oct. 15. That was the first multi-patch release under Microsoft's new schedule of releasing all patches on one day each month. Although the first mega-patch day came on a Wednesday, future monthly patch dates will fall on the second Tuesday of every month.

Microsoft changed its schedule to give IT a regular date when administrators can expect and quickly respond to Microsoft security patches.

The updated versions started arriving on Tuesday and continued into Wednesday.

The two patches that came in for major revisions were MS03-045 for Windows and MS03-047 for Exchange.

Revisions to Windows Patches

MS03-045 was originally released to fix an "important" flaw, a buffer overrun in the ListBox and ComboBox that could allow code execution. The flaw affects all supported versions of Windows except Windows Millennium Edition. It was the least serious of the five Windows bulletins released on Oct. 15. Microsoft rated the other four "critical" problems.

The problem with the patch is it breaks some third-party applications in certain non-English versions of Windows 2000 Service Pack 4. The affected language versions are Brazilian, Czech, Danish, Finnish, Hungarian, Italian, Norwegian, Polish, Portuguese, Russian, Spanish, Swedish and Turkish.

In changes to the four critical Windows-related bulletins, MS03-041 updated Windows 2000 file information; MS03-042 updated some product-specific information; MS03-043 updated security patch supports for Windows Server 2003, Windows XP and Windows 2000; and MS03-044 updated the download link for Windows XP 64-bit.

Revisions for Exchange Patches

On the Exchange side the more problematic patch also addressed the less serious vulnerability. The patch for MS03-046 addresses a vulnerability in Exchange 2000 and Exchange 5.5 that could allow for arbitrary code execution. The minor revision for that critical patch merely removes some unnecessary information from the deployment instructions for Exchange 5.5 SP4.

The bigger problem that required a 2.0 version of MS03-047 was again with language versions. MS03-047 is a patch for a cross-site scripting vulnerability in Outlook Web Access on Exchange 5.5. The original patch didn't cover languages installed through Language Packs for Outlook Web Access.

Microsoft also added the caveat to the MS03-047 bulletin to warn users that installing the patch on servers running versions of Internet Explorer prior to 5.01 would result in "unexpected consequences."

All of the affected bulletins are available at www.microsoft.com/technet/security/Default.asp.