[ISN] Microsoft posts 'revisions' to security bulletins

From: InfoSec News (isn@private)
Date: Fri Oct 24 2003 - 00:33:56 PDT

  • Next message: InfoSec News: "[ISN] KDHE computers at 'high risk'"

    http://www.computerworld.com/securitytopics/security/story/0,10801,86399,00.html
    
    Story by Paul Roberts
    OCTOBER 23, 2003
    IDG NEWS SERVICE
    
    Two software patches Microsoft Corp. released last week caused
    problems on foreign language versions of the Windows operating system
    and Exchange e-mail server. As a result, Microsoft yesterday issued
    "major revisions" to the two patches, MS03-045 and MS03-047, that
    included new patches for affected customers and additional
    instructions to get the patches to stick on vulnerable systems.
    
    Microsoft officials were not immediately available to comment today.
    
    Security bulletin MS03-045 concerns a buffer overrun vulnerability in
    a component of most supported versions of Windows. Microsoft rated the
    issue "important" but not critical. If left unpatched, the security
    hole would allow any person with a valid user log-in and password for
    an affected system to take total control of that machine and run
    malicious code on it.
    
    After releasing the bulletin and the associated patches, Microsoft
    discovered compatibility problems between the patch and third-party
    software on systems running foreign language editions of Windows 2000
    with Service Pack 4, Microsoft said.
    
    Russian, Spanish and Italian versions of Windows 2000 were affected,
    in addition to versions in a number of other languages, including
    Czech, Finnish and Turkish, Microsoft said.
    
    Security bulletin MS03-047 was rated "Moderate" and described a
    cross-site scripting vulnerability in Exchange Server 5.5, Service
    Pack 4. If left unpatched, the problem could allow a remote attacker
    to send a user on a vulnerable system an e-mail message containing an
    embedded Web link to trick victims into running a computer script of
    the attacker's choice, Microsoft said.
    
    Microsoft said it discovered that the patch did not work for some
    customers who installed foreign language versions of Outlook Web
    Access (OWA), an Exchange service that enables e-mail users to access
    their Exchange mailboxes using a Web browser instead of the Outlook
    mail client.
    
    While customers running English, German, French and Japanese versions
    of OWA were covered by the original patch, those running OWA in other
    languages need to apply the rereleased version, Microsoft said.
    
    The move came two weeks after Microsoft CEO Steve Ballmer introduced a
    new, streamlined approach to distributing software patches. Citing
    complaints from customers about the difficulty of staying on top of
    weekly security patches from the company, Ballmer said that Microsoft
    would switch from a weekly to a monthly patch release schedule unless
    it felt that customers were in imminent danger of attack from a known
    product vulnerability.
    
    Last week, Microsoft released the first of its monthly bulletins
    containing patches for four critical holes in the Windows operating
    system and one critical flaw in Exchange, in addition to the
    lower-rated vulnerabilities Microsoft rereleased this week.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 24 2003 - 03:17:23 PDT