Re: Microsoft posts 'revisions' to security bulletins

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

In my opinion its pretty darn obvious that they don't know what
affects what, which leads to other questions concerning integrity,
quality, testing practices and security. I think that if M$ continues
down the path of "lets patch this here and there" that 90% of the
World operating systems will come to a screeching halt someday.  It is
also my opinion that after they have modified the original code by 25%
or 50%? that it won't be easy to undo the problem by simply adding
another layer.

Actually M$ could probably use this link, its chalked full of valuable
information regarding the Software Development Life Cycle (SDLC). I
found it very interesting that the US DOJ is now involved in software
development so much that they are dictating software development
standards and practices. The best part about this standards released
in January of 2003 is that it has information security integrated
throughout.; http://www.usdoj.gov/jmd/irm/lifecycle/table.htm;

Enjoy!

Best regards,
Mark.

Mark E. S. Bernard, CISM,
Apollo Computer Consultants Inc.

email: Mark.Bernard.CISM () apollo-cc com
Web site: www.apollo-cc.com

Phone: (506) 375-6368



----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Friday, October 24, 2003 4:33 AM
Subject: [ISN] Microsoft posts 'revisions' to security bulletins


> http://www.computerworld.com/securitytopics/security/story/0,10801,86399,00.html
>
> Story by Paul Roberts
> OCTOBER 23, 2003
> IDG NEWS SERVICE
>
> Two software patches Microsoft Corp. released last week caused
> problems on foreign language versions of the Windows operating
> system and Exchange e-mail server. As a result, Microsoft yesterday
> issued "major revisions" to the two patches, MS03-045 and MS03-047,
> that included new patches for affected customers and additional
> instructions to get the patches to stick on vulnerable systems.
>
> Microsoft officials were not immediately available to comment today.
>
> Security bulletin MS03-045 concerns a buffer overrun vulnerability
> in a component of most supported versions of Windows. Microsoft
> rated the issue "important" but not critical. If left unpatched, the
> security hole would allow any person with a valid user log-in and
> password for an affected system to take total control of that
> machine and run malicious code on it.
>
> After releasing the bulletin and the associated patches, Microsoft
> discovered compatibility problems between the patch and third-party
> software on systems running foreign language editions of Windows
> 2000 with Service Pack 4, Microsoft said.
>
> Russian, Spanish and Italian versions of Windows 2000 were affected,
> in addition to versions in a number of other languages, including
> Czech, Finnish and Turkish, Microsoft said.
>
> Security bulletin MS03-047 was rated "Moderate" and described a
> cross-site scripting vulnerability in Exchange Server 5.5, Service
> Pack 4. If left unpatched, the problem could allow a remote attacker
> to send a user on a vulnerable system an e-mail message containing
> an embedded Web link to trick victims into running a computer script
> of the attacker's choice, Microsoft said.
>
> Microsoft said it discovered that the patch did not work for some
> customers who installed foreign language versions of Outlook Web
> Access (OWA), an Exchange service that enables e-mail users to
> access their Exchange mailboxes using a Web browser instead of the
> Outlook mail client.
>
> While customers running English, German, French and Japanese
> versions of OWA were covered by the original patch, those running
> OWA in other languages need to apply the rereleased version,
> Microsoft said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.