Four patches from Microsoft this month
Connecting state and local government leaders
Patches designed to stave off remote code execution (RCE) exploit attacks continue to pervade Microsoft's security and hotfix strategy.
In one of this year's lighter Patch Tuesdays, Redmond plans to roll out four
patches this month. Three of the four bulletins are "Critical" and
only one is noted as "Important."
As with the past six months of security bulletin announcements,
patches designed to stave off remote code execution (RCE) exploit
attacks continue to pervade Microsoft's security and hotfix
strategy. Tuesday looks to be no different, as all three critical
items would plug such vulnerabilities pertaining to components of
the Microsoft Office Suite and a handful of Windows operating
system versions.
The first critical item deals with RCE attack mechanisms through
a malicious Word file and comprises updates for Word versions 2000,
2002, 2003 and 2007. Additionally, Word Viewer 2003, Word Viewer
2003 Service Pack 3 as well as the Office Compatibility Pack for
Word, Excel and PowerPoint 2007 file formats are affected -- albeit
deemed as "important."
Overall, the first fix mainly sits at the application level,
affecting Office 2000 SP3, Office XP SP3, Office 2003 SP3 and the
2007 Office System Software and its first update in Office System
SP1.
Critical patch No. 2 staves off RCE attacks via the Publisher
program. The versions affected are Publisher 2000 SP3, 2002 SP3,
2003 SP2 and SP3 and all versions of Publisher 2007.
The last -- and perhaps most intriguing -- critical bulletin
relates to the Jet Database Engine (Jet) and the blocking of RCE
attacks in what's known as the foundation for Windows products and
applications on the OS. In this particular case, Jet serves as the
underlying operational component of a given workstation or network.
It lays out the framework for a given enterprise's collection of
information stored on a computer, server or drive in a systematic
and customized way.
Critics have often complained about the design of the Jet-based
database, which many contend wasn't built to sustain the complex
and heavy workloads on the average enterprise Exchange Server
environment. The fix is for Jet 4.0 Database Engine sitting on the
following operating systems: Windows 2000 SP4, XP SP2 and XP
Professional x64 Edition. The fix also touches Windows Server 2003
SP1, Windows Server 2003 x64 Edition and Windows Server 2003 with
SP1 for Itanium-based systems.
Meanwhile, the lone important fix deals with a potential denial
of service hack that can lock administrators and users out of
Windows Live OneCare, Microsoft Antigen, the Windows Defender
security program, Forefront and the standalone System Sweeper.
Two of the four patches will require a restart.
And in an initiative that began last month, Microsoft is
referring IT pros and Windows Enterprise professionals to thisknowledge base article for a description of non-security and
high-priority updates on Microsoft Update, Windows Update and
Windows Server Update Services. While this process doesn't exactly
scream "user-friendly," the support page is a comprehensive list of
changes in content and deployment of updates.
This month's list features, among other things, information on
an upgraded Windows Malicious Software Removal Tool, non-security
updates for Windows Server 2008 and Vista, as well as updated info
on Windows Server 2008 Dynamic Installer and Vista Dynamic
Installer. Rounding out that list is an update of the Windows Mail
Junk E-mail Filter.
This article was originally published May 8 at RedmondMag.com, an affilate Web site of GCN.com. RedmondMag.com and GCN.com are 1105 Media Inc. properties. Jabulani Leffall is an award-winning journalist whose work has appeared in the among others
NEXT STORY: Draft guidance for securing servers