Office XP Bulletin Critical After All

Microsoft alerted users on Wednesday that the security bulletin it released the day before for Office XP is more severe than the software company's security experts originally thought.

Microsoft issued the bulletin MS04-009 on Tuesday with a rating of "important." But the bulletin was re-released on Wednesday with a "critical" rating, Microsoft's most severe designation. The bulletin was part of Microsoft's monthly bundle of patches, which have been released on the second Tuesday of each month since October. Three patches were released on Tuesday, the others involved a moderate flaw with Windows and a moderate flaw with MSN Messenger. (See story).

"This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th," a Microsoft spokesperson said. Microsoft officials say customers who applied the patch provided with the bulletin on Tuesday, or who applied Office XP Service Pack 3, are still protected against the flaw despite the change in the severity rating.

The original bulletin reported that the flaw allowed remote code execution because of a problem with the way Outlook 2002 parses specially crafted mailto URLs. An attacker would have to entice a victim to click on a malicious Web site or HTML e-mail.

The new attack vector affects users who set Outlook Today as their default folder and could allow a privilege elevation attack. In addition to the patch, which protects against the new attack vector, Microsoft also added a workaround to allow customers who cannot deploy the patch immediately to disable the use of the Outlook Today page.

Microsoft has issued 10 security bulletins so far in 2004, and four of them have been critical. Last year at this time, Microsoft had also issued 10 security bulletins, but five of those were critical.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.