Four Patches Coming in May
Three patches will target critical remote code execution exploits in Microsoft Office, Publisher and the Jet Database Engine.
Redmond is rolling out four patches this month in one of the lighter releases of this year. Three out of four of the bulletins are "Critical," and only one noted as "Important." As in the past six months of security bulletin announcements, patches designed to stave off Remote Code Execution exploit attacks continue to pervade Microsoft's security and hotfix strategy.
Tuesday looks to be no different, as all three items forecasted as critical would plug such vulnerabilities pertaining to components of the Microsoft Office Suite and a handful of Windows operating system versions.
The first critical item deals with RCE attack mechanisms through a malicious Word file and comprises updates for Microsoft Word versions 2000, 2002, 2003 and 2007. Additionally, Word Viewer 2003, Word Viewer 2003 Service Pack 3 as well as the Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats are affected -- albeit deemed as "important."
Overall, the first fix is mainly sits at the application level, affecting Office 2000 SP3, Office XP SP3, Office 2003 SP3 and the 2007 Microsoft Office System Software and its first update in Office System SP1.
Critical patch number two staves off RCE attacks via the Microsoft Publisher program. The versions affected are Publisher 2000 SP3, 2002 SP3, 2003 SP2 and SP3 and all versions of Publisher 2007.
The last critical and perhaps most intriguing bulletin relates to the Jet Database Engine and the blocking of RCE attacks in what is known as the foundation for Windows products and applications on the OS. In this particular case, the Jet Database Engine serves as the underlying operational component of a given workstation or network. It lays out the framework for a given enterprise's collection of information stored on a computer, server or drive in a systematic and customized way.
Critics have often complained about the design of the Jet-based database, which many contend wasn't built to sustain the complex and heavy workloads on the average enterprise Exchange Server environment. The fix is for Microsoft Jet 4.0 Database Engine sitting on the following operating systems: Windows 2000 SP4, Windows XP SP2, and Windows XP Professional x64 Edition. The fix also touches Windows Server 2003 SP1, Windows Server 2003 x64 Edition and Windows Server 2003 with SP1 for Itanium-based systems.
Meanwhile, the lone important fix deals with a potential Denial of Service hack that can lock administrators and users out of Windows Live OneCare, Microsoft Antigen, the Windows Defender security program, Microsoft Forefront and the standalone System Sweeper.
Two of the four patches will require a restart.
And in an initiative that began last month, Microsoft is referring IT pros and Windows Enterprise professionals to this knowledgebase article for a description of non-security and high priority updates on Microsoft Update, Windows Update and Windows Server Update Services. While this process doesn't exactly scream "user friendly," the support page is a comprehensive list of changes in content and deployment of updates.
This month's list features among other things, information on an upgraded Windows Malicious Software Removal Tool, Non-security updates for Windows Server 2008 and Windows Vista; as well as update info on Windows Server 2008 Dynamic Installer and Windows Vista Dynamic Installer. Rounding out that list is an update of the Windows Mail Junk E-mail Filter.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.