Office XP Bulletin Critical After All

Microsoft alerted users on Wednesday that the security bulletin it released the day before for Office XP is more severe than the software company's security experts originally thought.

Microsoft issued the bulletin MS04-009 on Tuesday with a rating of "important." But the bulletin was re-released on Wednesday with a "critical" rating, Microsoft's most severe designation. The bulletin was part of Microsoft's monthly bundle of patches, which have been released on the second Tuesday of each month since October. Three patches were released on Tuesday, the others involved a moderate flaw with Windows and a moderate flaw with MSN Messenger. (See story).

"This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th," a Microsoft spokesperson said. Microsoft officials say customers who applied the patch provided with the bulletin on Tuesday, or who applied Office XP Service Pack 3, are still protected against the flaw despite the change in the severity rating.

The original bulletin reported that the flaw allowed remote code execution because of a problem with the way Outlook 2002 parses specially crafted mailto URLs. An attacker would have to entice a victim to click on a malicious Web site or HTML e-mail.

The new attack vector affects users who set Outlook Today as their default folder and could allow a privilege elevation attack. In addition to the patch, which protects against the new attack vector, Microsoft also added a workaround to allow customers who cannot deploy the patch immediately to disable the use of the Outlook Today page.

Microsoft has issued 10 security bulletins so far in 2004, and four of them have been critical. Last year at this time, Microsoft had also issued 10 security bulletins, but five of those were critical.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus