FW: Microsoft Security Update
I see a trend going on here, Word, Office, Office, Office and Office. I
guess Office has been overdue in regards to security bulletins lately :)
MS03-034 (NetBIOS information disclosure) gets a rating of Low, even though
Blaster showed us just how many Windows installations run with all ports
accessible.
It's surprising that MS03-035 (circumventing Office Macro security) and
MS03-036 (BO in WordPerfect Converter) got ratings of Important rather than
Critical, I guess the bulletins are waiting for some autoamtic exploit to
surface before revision.
At least MS03-037 (VBA code execution) got a proper Critical rating.
MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control) got
a rating of Moderate for webpage based exploits but completely forgets to
mention HTML email.
Lots of different ratings and lots of details to consider before system
administrators can decide when to apply these patches, but we really want
simplicity over complexity. I would still prefer 2 ratings instead of 4,
Apply Now or Apply Later - with the latter heading for the bi-weekly patch
job. Let's face it, rolling out patches in a big corporation on an almost
daily basis is just not very effective or economical.
Which leads to the positive side, it is definitely great to see Microsoft
releasing 5 vulnerabilities in a single day, rather than releasing a new
every other day. They must have listened to the feedback from administrators
who tired of inefficient and constant patch jobs, and should definitely
adhere to this practice in the future. It may be a small step in optimizing
the entire patch process, but it's a positive trend.
If there is anything we have learnt in the months behind us it is that
producing patches is the least of our worries in security, getting
administrators and endusers to actually apply those patches is an entirely
different ballgame.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
-----Original Message-----
From: Microsoft
[mailto:0_51922_1B06CAE9-7FDB-4EFF-B651-1869EADE5F25_DK@xxxxxxxxxxxxxxxx
osoft.com]
Sent: 3. september 2003 23:46
To: thor@xxxxxxxx
Subject: Microsoft Security Update
-----BEGIN PGP SIGNED MESSAGE-----
THE MICROSOFT SECURITY UPDATE NEWSLETTER
September 3, 2003
The Microsoft Security Update Newsletter for home users
and small businesses provides information on security-related
updates to Microsoft(R) products, as well as virus alerts
and resources for more information on security issues.
You have received this update as a subscriber to the Microsoft
Security Update Newsletter. To cancel your subscription, follow
the instructions at the bottom of this page.
__________________________________________________
SECURITY BULLETIN MS03-034
Security Update for Microsoft Windows
http://go.microsoft.com/?linkid=237617
SEVERITY
Low
WHY WE ARE ISSUING THIS UPDATE
A security issue has been identified in Microsoft Windows(R)
that could allow an attacker to see information in your computer's
memory over a network. You can help protect your computer by
installing this update from Microsoft.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Windows NT(R) Server 4.0
Windows NT Server 4.0 Terminal Server Edition
Windows 2000
Windows XP
Windows Server(TM) 2003
__________________________________________________
SECURITY BULLETIN MS03-035
Security Update for Microsoft Word
http://go.microsoft.com/?linkid=237618
SEVERITY
Important
WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Word(R) could allow an
attacker to compromise a Microsoft Windows-based system and then
take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Word 97, 98(J), 2000, and 2002
Works Suite 2001, 2002, and 2003
__________________________________________________
SECURITY BULLETIN MS03-036
Security Update for Microsoft Office
http://go.microsoft.com/?linkid=237619
SEVERITY
Important
WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Office could allow an
attacker to compromise a system using Microsoft Office and then
take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Office 97, 2000, and XP
Word 98(J)
FrontPage 2000 and 2002
Publisher 2000 and 2002
Works Suite 2001, 2002, and 2003
__________________________________________________
SECURITY BULLETIN MS03-037
Security Update for Microsoft Visual Basic for Applications
http://go.microsoft.com/?linkid=237620
SEVERITY
Critical
WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Visual Basic(R) for
Applications could allow an attacker to compromise a Windows-based
system and then take a variety of actions. For example, an attacker
could read files on your computer or run programs on it. By
installing this update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Visual Basic for Applications SDK 5.0, 6.0, 6.2, and 6.3
Office 97, 2000, and XP
Word 98(J)
Visio 2000 and 2002
Project 2000 and 2002
Publisher 2002
Works Suite 2001, 2002, and 2003
Business Solutions Great Plains 7.5
Business Solutions Dynamics 6.0 and 7.0
Business Solutions eEnterprise 6.0 and 7.0
Business Solutions Solomon 4.5, 5.0, and 5.5
__________________________________________________
SECURITY BULLETIN MS03-038
Security Update for Microsoft Access and Access Snapshot Viewer
http://go.microsoft.com/?linkid=237621
SEVERITY
Moderate
WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Access and the downloadable
Access Snapshot Viewer could allow an attacker to compromise a system
using Microsoft Office or the Microsoft Access Snapshot Viewer and
then take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Access 97, 2000, and 2002
__________________________________________________
<snip rest>