Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Security Bulletins

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 16 Oct 2003 09:44:39 -0400
Microsoft released more than 2 security bulletins yesterday
(they released 7: Security Bulletins MS03-41 - MS03-47, see:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp).

    * MS03-047 : Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack 
(828489)
    * MS03-046 : Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (822363)
    * MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
    * MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)
    * MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
    * MS03-042 : Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)
    * MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)

As you noticed they revamped their security bulletin and patch/
update release procedure -- in an attempt to be more responsive
to customer demands for both a timely but also more orderly
process (they say that they will be releasing updates on the
second Tuesday of each month -- however the first monthly
release would be Oct 15th).  More is described at :
http://www.microsoft.com/technet/security/bulletin/revsbwp.asp

Also, there is supposedly a Windows XP post-SP1 cumulative security
roll-up pack available (though it is not listed on Microsoft's web)
which would apply all of the XP security patches released after SP1.

And SP2 for XP is now supposed to be made available in December before
the end of teh year.

- H. Morrow Long, CISSP
  Director  - Information Security Office
  Yale University, ITS

Walsh, Brian R. (Information Services) wrote:

Microsoft has just sent out two "Security Bulletin Summaries". One for Exchange Server and one for Windows (although they 
messed up the subject on the second one). They also included a link in both messages that doesn't work. Otherwise these messages 
look legit. It looks like this is one of the ways they are trying to be more responsive to newly identified security vulnerabilities.

The Windows updates are being handled here by Software Update Server but we are struggling with how to communicate the 
importance of installing critical updates to students. How are you dealing with this?

I also noticed that MS now has a free support line for security patches 1-866-PCSAFETY. Has anyone used this? Is this 
somethging we should pass along to students?

Brian Walsh
Information Security Officer
Connecticut College

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: