Re: [ISN] Microsoft posts 'revisions' to security bulletins

From: InfoSec News (isn@private)
Date: Sun Oct 26 2003 - 23:53:40 PST

  • Next message: InfoSec News: "Re: [ISN] U.S. Gov't Plans Internet Security Ads"

    Forwarded from: Mark Bernard <mbernard@private>
    
    Dear Associates,
    
    In my opinion its pretty darn obvious that they don't know what
    affects what, which leads to other questions concerning integrity,
    quality, testing practices and security. I think that if M$ continues
    down the path of "lets patch this here and there" that 90% of the
    World operating systems will come to a screeching halt someday.  It is
    also my opinion that after they have modified the original code by 25%
    or 50%? that it won't be easy to undo the problem by simply adding
    another layer.
    
    Actually M$ could probably use this link, its chalked full of valuable
    information regarding the Software Development Life Cycle (SDLC). I
    found it very interesting that the US DOJ is now involved in software
    development so much that they are dictating software development
    standards and practices. The best part about this standards released
    in January of 2003 is that it has information security integrated
    throughout.; http://www.usdoj.gov/jmd/irm/lifecycle/table.htm;
    
    Enjoy!
    
    Best regards,
    Mark.
    
    Mark E. S. Bernard, CISM,
    Apollo Computer Consultants Inc.
    
    email: Mark.Bernard.CISM@apollo-cc.com
    Web site: www.apollo-cc.com
    
    Phone: (506) 375-6368
    
    
    
    ----- Original Message ----- 
    From: "InfoSec News" <isn@private>
    To: <isn@private>
    Sent: Friday, October 24, 2003 4:33 AM
    Subject: [ISN] Microsoft posts 'revisions' to security bulletins
    
    
    > http://www.computerworld.com/securitytopics/security/story/0,10801,86399,00.html
    >
    > Story by Paul Roberts
    > OCTOBER 23, 2003
    > IDG NEWS SERVICE
    >
    > Two software patches Microsoft Corp. released last week caused
    > problems on foreign language versions of the Windows operating
    > system and Exchange e-mail server. As a result, Microsoft yesterday
    > issued "major revisions" to the two patches, MS03-045 and MS03-047,
    > that included new patches for affected customers and additional
    > instructions to get the patches to stick on vulnerable systems.
    >
    > Microsoft officials were not immediately available to comment today.
    >
    > Security bulletin MS03-045 concerns a buffer overrun vulnerability
    > in a component of most supported versions of Windows. Microsoft
    > rated the issue "important" but not critical. If left unpatched, the
    > security hole would allow any person with a valid user log-in and
    > password for an affected system to take total control of that
    > machine and run malicious code on it.
    >
    > After releasing the bulletin and the associated patches, Microsoft
    > discovered compatibility problems between the patch and third-party
    > software on systems running foreign language editions of Windows
    > 2000 with Service Pack 4, Microsoft said.
    >
    > Russian, Spanish and Italian versions of Windows 2000 were affected,
    > in addition to versions in a number of other languages, including
    > Czech, Finnish and Turkish, Microsoft said.
    >
    > Security bulletin MS03-047 was rated "Moderate" and described a
    > cross-site scripting vulnerability in Exchange Server 5.5, Service
    > Pack 4. If left unpatched, the problem could allow a remote attacker
    > to send a user on a vulnerable system an e-mail message containing
    > an embedded Web link to trick victims into running a computer script
    > of the attacker's choice, Microsoft said.
    >
    > Microsoft said it discovered that the patch did not work for some
    > customers who installed foreign language versions of Outlook Web
    > Access (OWA), an Exchange service that enables e-mail users to
    > access their Exchange mailboxes using a Web browser instead of the
    > Outlook mail client.
    >
    > While customers running English, German, French and Japanese
    > versions of OWA were covered by the original patch, those running
    > OWA in other languages need to apply the rereleased version,
    > Microsoft said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Oct 27 2003 - 03:05:31 PST