Office XP Bulletin Critical After All

Microsoft alerted users on Wednesday that the security bulletin it released the day before for Office XP is more severe than the software company's security experts originally thought.

Microsoft issued the bulletin MS04-009 on Tuesday with a rating of "important." But the bulletin was re-released on Wednesday with a "critical" rating, Microsoft's most severe designation. The bulletin was part of Microsoft's monthly bundle of patches, which have been released on the second Tuesday of each month since October. Three patches were released on Tuesday, the others involved a moderate flaw with Windows and a moderate flaw with MSN Messenger. (See story).

"This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th," a Microsoft spokesperson said. Microsoft officials say customers who applied the patch provided with the bulletin on Tuesday, or who applied Office XP Service Pack 3, are still protected against the flaw despite the change in the severity rating.

The original bulletin reported that the flaw allowed remote code execution because of a problem with the way Outlook 2002 parses specially crafted mailto URLs. An attacker would have to entice a victim to click on a malicious Web site or HTML e-mail.

The new attack vector affects users who set Outlook Today as their default folder and could allow a privilege elevation attack. In addition to the patch, which protects against the new attack vector, Microsoft also added a workaround to allow customers who cannot deploy the patch immediately to disable the use of the Outlook Today page.

Microsoft has issued 10 security bulletins so far in 2004, and four of them have been critical. Last year at this time, Microsoft had also issued 10 security bulletins, but five of those were critical.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.