Microsoft Plans Eight Fixes in April
- By Jabulani Leffall
- April 3, 2008
Redmond is poised to release eight security bulletins for its April patch release,
with five designated as "critical" and three deemed "important."
Remote code execution (RCE) implications continue to be a recurring theme for
Microsoft applications and services. All of the critical items would plug
such RCE vulnerabilities as they relate to Microsoft Office, Internet Explorer and
the Windows OS. Meanwhile, the important fixes represent a hodgepodge of security
preparedness measures as Microsoft attempts to block spoofing, elevation of privilege
and RCE attacks.
Critical Patches Cut a Wide Swath
The first critical issue is a rare patch in that it affects Microsoft Project,
a program designed for operations project managers
to help develop plans, assign tasks, manage budgets and track
workflows. Project 2000 Service Release 1 and the 2002 Service Pack 1 version,
along with 2003 SP2, are all included in the patch that is designed to keep
RCE hackers at bay.
Critical patch No. 2 is for Windows 2000 SP4, XP SP2, XP Professional x64 edition
and its SP2 update. It also deals with any potential RCE problems in all versions
of Windows Server 2003 and Windows Vista.
The third critical item is one that will, for the second time since February's
release, raise the eyebrows of Web developers. It pertains to RCE exploits
that would affect Visual Basic or VBScript and JScript, which are languages
used to write browser functions that are embedded in, or included in, hypertext markup
language (HTML) pages. A cursory inspection of the third bulletin reveals a
smattering of fixes affecting VBScript 5.1 and 5.6, as well as JScript 5.1 and
5.6. Related OS versions under this patch umbrella are Windows 2000 SP4, XP
SP2 and XP Professional SP2, and all Windows Server 2003 versions. VBScript
and JScript are used mainly by Web developers working with IE.
And, once again, the patch for IE -- the near-ubiquitous Web browser bundled with Windows
-- is rated critical. This upcoming fourth fix would prevent any incursions of RCE-based bugs in IE 5.01
SP4 and IE 6 SP1. The fix also affects XP SP2 Standard and Professional editions,
all Windows Server 2003 versions, both Vista SP1 editions (with an accompanying
"important" footnote, in this case), and, lastly, all versions of Windows Server
2008, albeit with a "low" priority proviso.
The IE fixes continue with the last critical patch in the list. RCE implications
are prevalent with IE 6 and 7 sitting on Windows 2000 SP4, both XP SP2 releases,
both Vista SP1 releases and all versions of Windows Server 2008.
The sixth patch kicks off the important items. The patch would combat spoofing,
or what is known in the hacking community as a "masquerade ball," an entry through
a vector point after which an attacker or programmed bug passes itself off as
legitimate to gain entry into a workstation or network. This bulletin touches
Windows 2000 SP4, XP and XP Professional SP2 releases, and all Windows Server
Patch No. 7 is designed to mitigate an elevation-of-privilege risk, where a
hacker might circumvent access controls and upgrade his user profile to gain
carte blanche access as an all-object administrator or super-user. The fix affects
all of the same OS versions as the sixth patch, except it also touches all three
Windows Server 2008 releases.
Any IT pro or software developer or user who designs flowcharts, works up schematic
presentations or uses the ConceptDraw 7 program on the diagramming application
Microsoft Visio may be interested in the third and final important patch, which
affects XP Office 2003 and 2007 Office System. The specific applications versions
are Visio 2002 SP3, 2003 SP2 and SP3, and Visio 2007 and 2007 SP1.
Of the eight total patches, six items will require restarts.
Reiterating a previously
announced push of IE 7 for Windows Update, Redmond is shaking things up
with a change in content
presentation for the way it describes its releases for Windows Update and
Windows Server Update Services. It is also touting a new security content release
for the April 8 Patch Tuesday. This is slated to include a Windows Malicious
Software Removal Tool upgrade and a Malicious Software Removal Tool upgrade
specifically for IE.
As with each rollout, the advance notice isn't the final product. The nature,
number and design of all of the patches won't be known officially until Tuesday.
However, it will be interesting to see how IT pros adapt to the content and
presentation changes and how these will affect lead time in future patch management
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.