RealTime IT News

Microsoft Releases Flurry of 'Critical' Patches

UPDATED: Microsoft offered over 30 patch updates as part of its monthly allotment of security fixes Tuesday, including patches to plug a hole in Outlook Express and service packs of IE versions.

The 20 vulnerabilites it covered in the package of updates were organized into four groups for Windows versions. Three are labeled "critical," and another dubbed "important" by the software giant.

The patches cover vulnerabilities in versions of the Redmond, Wash.-based company's Windows, Outlook Express, NT, XP and NT workstations software.

One of the critical patches corrected the lion's share of vulnerabilities addressed in this month's update. Fourteen vulnerabilities were fixed in all versions of Windows Server 2003/XP/2000/NT 4.0 operating systems: eight covered remote code execution, two covered denial of service vulnerabilities and four were for privilege elevation vulnerabilities.

A second vulnerability, also tagged as "critical," addressed four vulnerabilities found in all versions of Microsoft Server 2003/XP/2000/NT 4.0's Remote Procedure Call/Distributed Component Object Model (RPC/DCOM) code. Two denial of service, one remote code execution and one information disclosure vulnerabilities were fixed in the release.

A third bucket of updates was to address the recently reported MHTML vulnerability that affects Window's handling of cross-domain help files.

Microsoft said it has tracked it down to a flaw in Microsoft Outlook Express 5.5, O E6, OE 6 SP1 (32- and 64-bit) and OE 6 for Windows Server 2003 (32- and 64-bit). The patch is a cumulative update.

The fourth group of patches was aimed at plugging vulnerabilities dubbed "important," and are to fix a remote code execution vulnerability in Microsoft's Jet Database Engine.

In Windows 98/98 SE/98 ME/NT 4.0/2000/XP/Server 2003, an attacker could exploit the engine to take control of the machine, install programs and add new accounts.

Windows users are encouraged to update their machines as soon as possible, go here for more information or run Windows Update.

Mike Reavey, Microsoft Security Response Center program manager told internetnews.com that the patches addressed vulnerabilities discovered no earlier than September of last year and as recently as last month.

He said that while there are still problems with individuals publishing vulnerabilities on the Internet before they've had a chance to fix them, he said security firms have been very good about notifying them before publicizing them.

Despite the number of vulnerabilities addressed in this latest crop of patches, Neel Mehta, a research engineer for Atlanta-based security firm Internet Security Systems, said he didn't see an alarming trend in Microsoft's operating system.

"I don't think that there will ever be a point when any operating system is completely secure, especially considering the size of the code base and the complexity of it," he told internetnews.com.

He said his company, which works closely with Microsoft on security issues, has found Microsoft very serious about vulnerabilities and works to fix them as soon as possible, while still performing due diligence to get a comprehensive patch out the door.

That effort has extended to the beta tests currently underway with Windows XP Service Pack 2, which is heavily geared towards Internet security. Reavey said the features in its Windows Security Center -- which monitor key security applications like the firewall and anti-virus software, as well as warn customers of new security patches -- would provide a lot of default protection for end users.

Officials also announced Tuesday they were re-releasing four patches to fix vulnerabilities not previously discovered. After publishing the original patches Microsoft security officials discovered they also affected other operating systems: MS00-082, MS01-141 and MS03-046 have been updated to incorporate Exchange Server 5.0; while updates to MS02-011 now protect Windows NT 4.0 Option Pack.

The company will host a Web cast Wednesday at 1 p.m. EST here to go over April's vulnerability patches.

Corrects prior version to update to 20 vulnerabilities that were patched in the current release