Educause Security Discussion mailing list archives
Re: Microsoft Security Bulletins
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 16 Oct 2003 09:44:39 -0400
Microsoft released more than 2 security bulletins yesterday (they released 7: Security Bulletins MS03-41 - MS03-47, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp). * MS03-047 : Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489) * MS03-046 : Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (822363) * MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) * MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) * MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035) * MS03-042 : Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232) * MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) As you noticed they revamped their security bulletin and patch/ update release procedure -- in an attempt to be more responsive to customer demands for both a timely but also more orderly process (they say that they will be releasing updates on the second Tuesday of each month -- however the first monthly release would be Oct 15th). More is described at : http://www.microsoft.com/technet/security/bulletin/revsbwp.asp Also, there is supposedly a Windows XP post-SP1 cumulative security roll-up pack available (though it is not listed on Microsoft's web) which would apply all of the XP security patches released after SP1. And SP2 for XP is now supposed to be made available in December before the end of teh year. - H. Morrow Long, CISSP Director - Information Security Office Yale University, ITS Walsh, Brian R. (Information Services) wrote:
Microsoft has just sent out two "Security Bulletin Summaries". One for Exchange Server and one for Windows (although they messed up the subject on the second one). They also included a link in both messages that doesn't work. Otherwise these messages look legit. It looks like this is one of the ways they are trying to be more responsive to newly identified security vulnerabilities. The Windows updates are being handled here by Software Update Server but we are struggling with how to communicate the importance of installing critical updates to students. How are you dealing with this? I also noticed that MS now has a free support line for security patches 1-866-PCSAFETY. Has anyone used this? Is this somethging we should pass along to students? Brian Walsh Information Security Officer Connecticut College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Microsoft Security Bulletins Walsh, Brian R. (Information Services) (Oct 15)
- <Possible follow-ups>
- Re: Microsoft Security Bulletins Michael Halm (Oct 15)
- Re: Microsoft Security Bulletins Marty Hoag (Oct 15)
- Re: Microsoft Security Bulletins H. Morrow Long (Oct 16)