RealTime IT News

Unblocked SP2, 'Critical' Patches on Deck From Microsoft

As part of its regular monthly patch cycle, Microsoft is set to release five security updates next week.

The updates include fixes for "critical" issues in Microsoft Office and Exchange as well as MSN Messenger.

Microsoft also said it would release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update and the Download Center. The tool will not be distributed using the company's Software Update Services (SUS), however.

The latest patch update will be occurring on the same day Microsoft is scheduled to remove its automatic block for Windows XP SP2. After the block is removed, organizations with Windows update will be prompted to receive SP2 if they haven't done so already.

Microsoft typically does not reveal the explicit details of the issues that will be fixed before the patches are made available. However, it does provide direction as to which applications will be affected.

The Microsoft Security Response Center Bulletin Notification issued Thursday indicated that one of those issues has to do with Microsoft Office.

According the CVE (Common Vulnerabilities and Exposures) database of vulnerabilities, there are currently two known potential issues with Office. CAN-2005-0545 affects Microsoft Office InfoPath 2003 SP1 and could potentially allow an attacker obtain network information, database name, username, password and the internal Web server name.

CAN-2005-0545 is the other potential Office issue, though according to the CVE database listing, the vulnerability is in dispute. That particular alleged vulnerability allows local users to bypass Active Directory policies by browsing for files with Office 10 applications.

Another April update involves a "critical" Microsoft Exchange issue. There is currently only one publicly known (via CVE) un-patched potential Exchange issue (CAN-2005-0420), though it is currently rated as not critical.

Last on the "critical" list of updates expected on Tuesday is one that deals with Microsoft's public IM client, MSN Messenger. There are currently no publicly disclosed (via CVE) vulnerabilities in Messenger though the Instant Messaging (IM) client has been the number one target of attacks among IM clients this past year.

Earlier today, the latest version of MSN Messenger, version 7 was officially released.

Microsoft has also indicated that it will release a pair of "Non-Security High-Priority" updates for windows as well as updating its Malicious Software Removal Tool.

According to security software vendor eEye, there are two high-level vulnerabilities that could affect Windows NT 4.0, Windows 2000, Windows XP and Windows 2003 operating systems. The vulnerabilities were reported on March 16 and March 29. It is unclear whether fixes for them are part of Tuesday's update.

No April updates are expected for Internet Explorer, though security firm Secunia currently lists 19 unpatched flaws of varying degrees with IE.

Last month, Microsoft security updated only two minor issues that affected Windows 98, Windows 98 Second Edition and Windows Millennium Edition (ME) support for two security updates that had been released in previous monthly updates. The March update also included a revision to the Malicious Software Removal Tool.

In contrast the February update patched a dozen different issues.