3 Critical Bulletins in Microsoft's Monthly Patch Collection
- By Scott Bekker
Three critical security patches are included in Microsoft's bundle of security bulletins for November. The critical problems affect Internet Explorer, Windows and the Microsoft FrontPage Server Extensions.
Microsoft delivered its first bundle of patches under its new monthly schedule, which is to put out patches on the second Tuesday of every month. Microsoft released its first monthly bundle in October, but the company posted those patches on a Wednesday, which was Microsoft's weekly patching date.
The Internet Explorer patch is a cumulative patch that includes fixes for five new flaws. Although the patch is critical for all versions of Windows going back to Windows NT 4.0 Workstation SP6a and Windows 98, it is rated "moderate" for Windows Server 2003, which runs IE under an Enhanced Security Configuration mode by default. More information on the bulletin is available here.
The critical flaw in Windows involves an unchecked buffer in the Workstation service of Windows 2000 and Windows XP that can allow an attacker to remotely take complete control of a user's system. More information on the flaw is available here.
The other critical patch covers problems in FrontPage Server Extensions, a set of tools that can be installed on a Web site to allow management of the server and its content and to add Web site functionality such as search and forms support. The patch addresses two flaws. One of the flaws allows an attacker to take complete control of the server remotely; the other flaw provides an avenue for a denial-of-service attack. The security bulletin is available here.
Also included in the bundle of patches on Tuesday was an "important" patch for Microsoft Word and Excel and an "important" re-release of a 2002 patch, MS02-050. The Office programs patch fixes flaws in the way Word and Excel handle macro files. In some cases, an attacker could cause malicious code that executes when a user opens a malformed Word or Excel document. The flaw doesn't affect Word 2003 or Excel 2003. Details are available here.
The re-released patch from September 2002 addressed a flaw that made it possible for an attacker to spoof identities and, in some cases, gain control of a user's system. It affected Windows, Office for Mac and Internet Explorer. Microsoft re-released the bulletin because of regression problems that can arise when applying IE 6.0 Service Pack 1 on top of Windows 2000 Service Pack 4. Details are available here.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.