Unblocked SP2, ‘Critical’ Patches on Deck From Microsoft

As part of its regular monthly patch cycle, Microsoft
is set to release five security updates next week.

The updates include fixes for “critical” issues in Microsoft Office
and Exchange as well as MSN Messenger.

Microsoft also said it would release an updated version of the Microsoft
Windows Malicious Software Removal Tool on Windows Update and the
Download Center. The tool will not be distributed using the company’s Software Update Services (SUS), however.

The latest patch update will be occurring on the same day Microsoft is scheduled to remove its automatic block for Windows XP SP2. After the block is removed, organizations with Windows update will be prompted to receive SP2 if they haven’t done so already.

Microsoft typically does not reveal the explicit details of the
issues that will be fixed before the patches are made available. However, it does provide direction as to which applications will be affected.

The Microsoft Security Response Center Bulletin Notification issued
Thursday indicated that one of those issues has to do with Microsoft

According the CVE (Common Vulnerabilities and Exposures) database of vulnerabilities, there are currently two known potential issues with Office. CAN-2005-0545 affects Microsoft Office InfoPath 2003 SP1 and could potentially allow an attacker obtain network information, database
name, username, password and the internal Web server name.

is the other potential Office issue, though according to the CVE database listing, the vulnerability is in dispute. That particular alleged vulnerability allows local users to bypass Active Directory policies by browsing for files with Office 10 applications.

Another April update involves a “critical” Microsoft Exchange issue. There is currently only one publicly known (via CVE) un-patched potential Exchange issue (CAN-2005-0420), though it is currently rated as not critical.

Last on the “critical” list of updates expected on Tuesday is one
that deals with Microsoft’s public IM client, MSN Messenger. There are currently no publicly disclosed (via CVE) vulnerabilities in Messenger
though the Instant Messaging (IM) client has been the
number one target of attacks
among IM clients this past year.

Earlier today, the latest version of MSN Messenger, version 7 was officially released.

Microsoft has also indicated that it will release a pair of
“Non-Security High-Priority” updates for windows as well as updating its Malicious Software Removal Tool.

According to security software vendor eEye, there are two
high-level vulnerabilities
that could affect Windows NT 4.0,
Windows 2000, Windows XP and Windows 2003 operating systems. The
vulnerabilities were reported on March 16 and March 29. It is unclear
whether fixes for them are part of Tuesday’s update.

No April updates are expected for Internet Explorer, though security firm Secunia currently lists 19
unpatched flaws
of varying degrees with IE.

Last month, Microsoft security updated only two minor issues that
affected Windows 98, Windows 98 Second Edition and Windows Millennium
Edition (ME) support for two security updates that had been released in previous monthly updates. The March update also included a revision to the Malicious Software Removal Tool.

In contrast the February update patched a dozen different issues.

News Around the Web