Microsoft Releases Flurry of ‘Critical’ Patches

UPDATED: Microsoft offered over 30 patch updates as part of its monthly allotment of security fixes Tuesday, including patches to plug a hole in Outlook Express and service packs of IE versions.

The 20 vulnerabilites it covered in the package of updates were organized into four groups for Windows versions. Three are labeled “critical,” and another dubbed “important” by the software giant.

The patches cover vulnerabilities in versions of the Redmond, Wash.-based company’s Windows, Outlook Express, NT, XP and NT workstations software.

One of the critical patches corrected the lion’s share of vulnerabilities addressed in this month’s update. Fourteen vulnerabilities were fixed in all versions of Windows Server 2003/XP/2000/NT 4.0 operating systems: eight covered remote code execution, two
covered denial of service vulnerabilities and four were for privilege elevation vulnerabilities.

A second vulnerability, also tagged as “critical,” addressed four
vulnerabilities found in all versions of Microsoft Server
2003/XP/2000/NT 4.0’s Remote Procedure Call/Distributed Component Object
Model (RPC/DCOM) code. Two denial of service, one remote code execution and one information disclosure vulnerabilities were fixed in the release.

A third bucket of updates was to address the recently
reported MHTML vulnerability
that affects Window’s handling of
cross-domain help files.

Microsoft said it has tracked it down to a flaw in Microsoft Outlook Express 5.5, O E6, OE 6 SP1 (32- and 64-bit) and OE 6 for Windows Server 2003 (32- and 64-bit). The patch is a cumulative update.

The fourth group of patches was aimed at plugging vulnerabilities dubbed “important,” and are to fix a remote code execution vulnerability in Microsoft’s Jet Database Engine.

In Windows 98/98 SE/98 ME/NT 4.0/2000/XP/Server 2003, an attacker could exploit the engine to take control of the machine, install programs and add new accounts.

Windows users are encouraged to update their machines as soon as
possible, go here
for more information or run Windows Update.

Mike Reavey, Microsoft Security Response Center program manager told that the patches addressed vulnerabilities discovered no earlier than September of last year and as recently as last month.

He said that while there are still problems with individuals publishing
vulnerabilities on the Internet before they’ve had a chance to fix them, he said security firms have been very good about notifying them before publicizing them.

Despite the number of vulnerabilities addressed in this latest crop of
patches, Neel Mehta, a research engineer for Atlanta-based security firm Internet Security Systems, said he didn’t see an alarming trend in Microsoft’s operating system.

“I don’t think that there will ever be a point when any operating system is completely secure, especially considering the size of the code base and the complexity of it,” he told

He said his company, which works closely with Microsoft on security issues, has found Microsoft very serious about vulnerabilities and works to fix them as soon as possible, while still performing due diligence to get a comprehensive patch out the door.

That effort has extended to the beta tests currently underway with Windows
XP Service Pack 2
, which is heavily geared towards Internet
security. Reavey said the features in its Windows Security Center —
which monitor key security applications like the firewall and anti-virus
software, as well as warn customers of new security patches — would
provide a lot of default protection for end users.

Officials also announced Tuesday they were re-releasing four patches to
fix vulnerabilities not previously discovered. After publishing the
original patches Microsoft security officials discovered they also
affected other operating systems: MS00-082, MS01-141 and MS03-046 have
been updated to incorporate Exchange Server 5.0; while updates to
MS02-011 now protect Windows NT 4.0 Option Pack.

The company will host a Web cast Wednesday at 1 p.m. EST here
to go over April’s vulnerability patches.

Corrects prior version to update to 20 vulnerabilities that were patched in the current release

News Around the Web