Microsoft Releases 3 Critical Patches
On Tuesday, Redmond rolled out four patches for the month of May as expected, with three deemed "Critical" and one "Moderate."
On Tuesday, Redmond rolled out four patches for the month of May as
, with three deemed "Critical" and one "Moderate."
Security pros say that though this is a relatively light release, the critical
bulletins stretch across current and relevant application platforms as well
as operating systems, and IT shops shouldn't take the implementation of these
First up on the critical list is a Microsoft
Word patch, an update resolving what the software giant said were "two
newly discovered and privately reported vulnerabilities" in the popular application that could allow hackers to deploy remote code
execution (RCE) exploits through a maliciously crafted Word file.
If successful, when a user clicks on the file, a hacker would be able to install,
view, edit, change or delete capabilities when it comes to data. The intruder
could also create new accounts and adjust user profiles for elevated privileges
on the workstation and, by extension, the network.
The patch affects Outlook 2007 and Word versions 2003, 2002 and 2000.
Additionally, Word Viewer 2003 and Word Viewer 2003 SP3, as well as the Office
Compatibility Pack for Excel, Word and PowerPoint 2007 file formats are affected
with a proviso of "important."
One thing IT pros should note is that the update parameters are structured
for where the remedies reside, mainly at the application level, affecting Office 2003 SP3, Office XP SP3, Office 2000 SP3, and the 2007 Office System Software
and its first update in Office System SP1.
critical item would thwart RCE attacks via the Microsoft Publisher program. Redmond stated in the release notes that the fix is configured
to resolve one "newly discovered and privately reported vulnerability"
in the program that could be exploited when users open a corrupt Publisher
file. The versions affected are Publisher 2003 SP2 and SP3, 2002, 2000 SP3, and all versions of Publisher 2007.
Meanwhile, the third
patch, involving the Jet Database Engine -- in many processing environments,
the foundation for Windows products and applications on the OS -- is probably
the most vital of the critical patches. Security administrators, systems administrators,
and even database and network administrators would all do well to pay attention
to this bulletin as well as monitor the results after installation.
"With this flaw, there is a possible way to create a buffer overflow in
the Jet engine," explained Jason Miller, security data team manager for
St. Paul, Minn.-based Shavlik Technologies. "By exploiting this vulnerability,
an evil attacker could take over complete control over a machine. This can be
accomplished by sending an evil file that contains a Word document with a specially
crafted access database file embedded in the document."
According to both Miller and the Microsoft Security Response team, a user would
have to open the file for a hacker to take advantage of the flaw; a user who
views HTML e-mails in the preview pane can also be affected by the Jet engine
vulnerability (in the latter case, the user does not have to open the document).
Lastly, a hacker can create a Web site and embed a Word or .PDF file into it
as bait for an unsuspecting user.
What's especially intriguing about this fix, one observer suggested, is that
Microsoft didn't originally plan to roll out a fix for it. "Microsoft's
initial response to this vulnerability was that they wouldn't patch," said
Tyler Reguly, security researcher for San Francisco-based nCircle. "So,
the original researcher released the vulnerability (noting that Microsoft said
they wouldn't release a fix). Now they have released a fix but refused to acknowledge
the original researcher. This response flies in the face of their constant messaging
about responsible disclosure."
Researcher credit and controversy aside, Redmond's fix is directed at Jet 4.0
Database Engine programs built on top of the following operating systems: XP SP2, XP Professional x64 Edition and Windows 2000 SP4. The fix also touches Windows Server 2003 x64 Edition, Windows Server 2003 with
SP1 for Itanium-based systems and Windows
Server 2003 SP1.
Lastly, the lone
moderate patch, while not critical, deals with a potential denial of service
hack that can lock administrators and users out of Windows Live OneCare, Microsoft
Antigen, the Windows Defender security program, Forefront and the Standalone
Microsoft said the bulletin covers all the components of the Microsoft Malware
Protection Engine through which a hacker could take advantage of the vulnerabilities
by building a specially crafted "spinning" file triggered by user
acceptance and, more important, scanning by the Microsoft security programs
"One interesting thing to note about this month's bulletins is that some
of Microsoft's own key security software -- including Windows Defender, Forefront
Security and Antigen -- have been identified as requiring an important security
update," said Don Leatham, director of solutions and strategy at Lumension
Securities in Scottsdale, Ariz. "Whenever security tools themselves are
affected -- even if they have been given 'moderate' status -- we would encourage
administrators to treat them with increased importance. Any company that relies
on these programs as part of their overall security posture should pay close
attention to this update."
According to Redmond, two of the four patches will require a restart of the
system after installation.
And in keeping with a new design and presentation scheme started in April,
Microsoft is referring IT pros and Windows Enterprise professionals to this
Knowledge Base article for a description of non-security and high-priority
updates on Microsoft Update, Windows Update and Windows Server Update Services.
Featured among the programs and applications being updated are Windows Malicious
Software Removal Tool, non-security updates for Windows Server 2008 and Vista,
as well as updated info on Windows Server 2008 Dynamic Installer and Vista Dynamic
Installer, and an upgrade of Windows Mail Junk-Email Filter.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.