Information Security News mailing list archives
Re: Microsoft posts 'revisions' to security bulletins
From: InfoSec News <isn () c4i org>
Date: Mon, 27 Oct 2003 01:53:40 -0600 (CST)
Forwarded from: Mark Bernard <mbernard () nbnet nb ca> Dear Associates, In my opinion its pretty darn obvious that they don't know what affects what, which leads to other questions concerning integrity, quality, testing practices and security. I think that if M$ continues down the path of "lets patch this here and there" that 90% of the World operating systems will come to a screeching halt someday. It is also my opinion that after they have modified the original code by 25% or 50%? that it won't be easy to undo the problem by simply adding another layer. Actually M$ could probably use this link, its chalked full of valuable information regarding the Software Development Life Cycle (SDLC). I found it very interesting that the US DOJ is now involved in software development so much that they are dictating software development standards and practices. The best part about this standards released in January of 2003 is that it has information security integrated throughout.; http://www.usdoj.gov/jmd/irm/lifecycle/table.htm; Enjoy! Best regards, Mark. Mark E. S. Bernard, CISM, Apollo Computer Consultants Inc. email: Mark.Bernard.CISM () apollo-cc com Web site: www.apollo-cc.com Phone: (506) 375-6368 ----- Original Message ----- From: "InfoSec News" <isn () c4i org> To: <isn () attrition org> Sent: Friday, October 24, 2003 4:33 AM Subject: [ISN] Microsoft posts 'revisions' to security bulletins
http://www.computerworld.com/securitytopics/security/story/0,10801,86399,00.html Story by Paul Roberts OCTOBER 23, 2003 IDG NEWS SERVICE Two software patches Microsoft Corp. released last week caused problems on foreign language versions of the Windows operating system and Exchange e-mail server. As a result, Microsoft yesterday issued "major revisions" to the two patches, MS03-045 and MS03-047, that included new patches for affected customers and additional instructions to get the patches to stick on vulnerable systems. Microsoft officials were not immediately available to comment today. Security bulletin MS03-045 concerns a buffer overrun vulnerability in a component of most supported versions of Windows. Microsoft rated the issue "important" but not critical. If left unpatched, the security hole would allow any person with a valid user log-in and password for an affected system to take total control of that machine and run malicious code on it. After releasing the bulletin and the associated patches, Microsoft discovered compatibility problems between the patch and third-party software on systems running foreign language editions of Windows 2000 with Service Pack 4, Microsoft said. Russian, Spanish and Italian versions of Windows 2000 were affected, in addition to versions in a number of other languages, including Czech, Finnish and Turkish, Microsoft said. Security bulletin MS03-047 was rated "Moderate" and described a cross-site scripting vulnerability in Exchange Server 5.5, Service Pack 4. If left unpatched, the problem could allow a remote attacker to send a user on a vulnerable system an e-mail message containing an embedded Web link to trick victims into running a computer script of the attacker's choice, Microsoft said. Microsoft said it discovered that the patch did not work for some customers who installed foreign language versions of Outlook Web Access (OWA), an Exchange service that enables e-mail users to access their Exchange mailboxes using a Web browser instead of the Outlook mail client. While customers running English, German, French and Japanese versions of OWA were covered by the original patch, those running OWA in other languages need to apply the rereleased version, Microsoft said.
- ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Re: Microsoft posts 'revisions' to security bulletins InfoSec News (Nov 04)