Microsoft posts 'revisions' to security bulletins

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,86399,00.html

Story by Paul Roberts
OCTOBER 23, 2003
IDG NEWS SERVICE

Two software patches Microsoft Corp. released last week caused
problems on foreign language versions of the Windows operating system
and Exchange e-mail server. As a result, Microsoft yesterday issued
"major revisions" to the two patches, MS03-045 and MS03-047, that
included new patches for affected customers and additional
instructions to get the patches to stick on vulnerable systems.

Microsoft officials were not immediately available to comment today.

Security bulletin MS03-045 concerns a buffer overrun vulnerability in
a component of most supported versions of Windows. Microsoft rated the
issue "important" but not critical. If left unpatched, the security
hole would allow any person with a valid user log-in and password for
an affected system to take total control of that machine and run
malicious code on it.

After releasing the bulletin and the associated patches, Microsoft
discovered compatibility problems between the patch and third-party
software on systems running foreign language editions of Windows 2000
with Service Pack 4, Microsoft said.

Russian, Spanish and Italian versions of Windows 2000 were affected,
in addition to versions in a number of other languages, including
Czech, Finnish and Turkish, Microsoft said.

Security bulletin MS03-047 was rated "Moderate" and described a
cross-site scripting vulnerability in Exchange Server 5.5, Service
Pack 4. If left unpatched, the problem could allow a remote attacker
to send a user on a vulnerable system an e-mail message containing an
embedded Web link to trick victims into running a computer script of
the attacker's choice, Microsoft said.

Microsoft said it discovered that the patch did not work for some
customers who installed foreign language versions of Outlook Web
Access (OWA), an Exchange service that enables e-mail users to access
their Exchange mailboxes using a Web browser instead of the Outlook
mail client.

While customers running English, German, French and Japanese versions
of OWA were covered by the original patch, those running OWA in other
languages need to apply the rereleased version, Microsoft said.

The move came two weeks after Microsoft CEO Steve Ballmer introduced a
new, streamlined approach to distributing software patches. Citing
complaints from customers about the difficulty of staying on top of
weekly security patches from the company, Ballmer said that Microsoft
would switch from a weekly to a monthly patch release schedule unless
it felt that customers were in imminent danger of attack from a known
product vulnerability.

Last week, Microsoft released the first of its monthly bulletins
containing patches for four critical holes in the Windows operating
system and one critical flaw in Exchange, in addition to the
lower-rated vulnerabilities Microsoft rereleased this week.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.