News

Microsoft Plans 8 Fixes in April

Redmond is poised to release eight security bulletins for its April patch release, with five designated as "critical" and three deemed "important."

• By Jabulani Leffall
• 04/03/2008

Remote code execution (RCE) implications continue to be a recurring theme for Microsoft applications and services, as all of the critical items would plug such vulnerabilities as they relate to Microsoft Office, Internet Explorer and the Windows OS. Meanwhile, the important fixes represent a hodgepodge of security preparedness measures as they attempt to block spoofing, elevation of privilege and RCE attacks.

Critical Patches Cut a Wide Swath
The first critical issue is a rare patch in that it affects Microsoft Project, a program designed and configured to help IT and operations project managers in a given enterprise develop plans, assign tasks, manage budgets and track workflow. Project 2000 Service Release 1 and the 2002 Service Pack 1 version, along with 2003 SP2, are all included in the patch that is designed to keep RCE hackers at bay.

Critical patch No. 2 is for Windows 2000 SP4, XP SP2, XP Professional x64 edition and its SP2 update. It also deals with any potential RCE problems in all versions of Windows Server 2003 and Windows Vista.

The third critical item is one that will, for the second time since February's release, raise the eyebrows of Web developers. It pertains to RCE exploits that would affect Visual Basic or VBScript and JScript, which are languages used to write browser functions embedded in or included in hypertext markup language (HTML) pages. A cursory inspection of the third bulletin reveals a smattering of fixes affecting VBScript 5.1 and 5.6, as well as JScript 5.1 and 5.6. Related OS versions under this patch umbrella are Windows 2000 SP4, XP SP2 and XP Professional SP2, and all Windows Server 2003 versions. VBScript and JScript are used mainly by Web developers working with IE.

And, once again, IE -- the near-ubiquitous Web browser bundled with Windows -- is rated critical in the fourth patch. The upcoming fix would plug up the application, thereby preventing any incursions of RCE-based bugs in IE 5.01 SP4 and IE 6 SP1. The fix also affects XP SP2 Standard and Professional editions, all Windows Server 2003 versions, both Vista SP1 editions (with an accompanying "important" footnote, in this case), and, lastly, all versions of Windows Server 2008, albeit with a "low" priority proviso.

The IE fixes continue with the last critical patch in the list. RCE implications are prevalent with IE 6 and 7 sitting on Windows 2000 SP4, both XP SP2 releases, both Vista SP1 releases and all versions of Windows Server 2008.

Important Patches
The sixth patch kicks off the important items. The patch would combat spoofing, or what is known in the hacking community as a "masquerade ball," an entry through a vector point after which an attacker or programmed bug passes itself off as legitimate to gain entry into a workstation or network. This bulletin touches Windows 2000 SP4, XP and XP Professional SP2 releases, and all Windows Server 2003 releases.

Patch No. 7 is designed to mitigate an elevation-of-privilege risk, where a hacker might circumvent access controls and upgrade his user profile to gain carte blanche access as an all-object administrator or super-user. The fix affects all the same OS versions as the sixth patch, except it also touches all three Windows Server 2008 releases.

Any IT pro or software developer or user who designs flowcharts, works up schematic presentations or uses the ConceptDraw 7 program on the diagramming application Microsoft Visio may be interested in the third and final important patch, which affects XP Office 2003 and 2007 Office System. The specific applications versions are Visio 2002 SP3, 2003 SP2 and SP3, and Visio 2007 and 2007 SP1.

Of the eight total patches, six items will require restarts.

Reiterating a previously announced push of IE 7 for Windows Update, Redmond is shaking things up with a change in content presentation for the way it describes its releases for Windows Update and Windows Server Update Services. It is also touting a new security content release for the April 8 Patch Tuesday. This is slated to include a Windows Malicious Software Removal Tool upgrade and a Malicious Software Removal Tool upgrade specifically for IE.

As with each rollout, the advance notice isn't the final product; the nature, number and design of all the patches won't be known officially until Tuesday. However, it will be interesting to see how IT pros adapt to the content and presentation changes and how these will affect lead time in future patch management initiatives.