Four Patches Coming in May

Three patches will target critical remote code execution exploits in Microsoft Office, Publisher and the Jet Database Engine.

Redmond is rolling out four patches this month in one of the lighter releases of this year. Three out of four of the bulletins are "Critical," and only one noted as "Important." As in the past six months of security bulletin announcements, patches designed to stave off Remote Code Execution exploit attacks continue to pervade Microsoft's security and hotfix strategy.

Tuesday looks to be no different, as all three items forecasted as critical would plug such vulnerabilities pertaining to components of the Microsoft Office Suite and a handful of Windows operating system versions.

The first critical item deals with RCE attack mechanisms through a malicious Word file and comprises updates for Microsoft Word versions 2000, 2002, 2003 and 2007. Additionally, Word Viewer 2003, Word Viewer 2003 Service Pack 3 as well as the Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats are affected -- albeit deemed as "important."

Overall, the first fix is mainly sits at the application level, affecting Office 2000 SP3, Office XP SP3, Office 2003 SP3 and the 2007 Microsoft Office System Software and its first update in Office System SP1.

Critical patch number two staves off RCE attacks via the Microsoft Publisher program. The versions affected are Publisher 2000 SP3, 2002 SP3, 2003 SP2 and SP3 and all versions of Publisher 2007.

The last critical and perhaps most intriguing bulletin relates to the Jet Database Engine and the blocking of RCE attacks in what is known as the foundation for Windows products and applications on the OS. In this particular case, the Jet Database Engine serves as the underlying operational component of a given workstation or network. It lays out the framework for a given enterprise's collection of information stored on a computer, server or drive in a systematic and customized way.

Critics have often complained about the design of the Jet-based database, which many contend wasn't built to sustain the complex and heavy workloads on the average enterprise Exchange Server environment. The fix is for Microsoft Jet 4.0 Database Engine sitting on the following operating systems: Windows 2000 SP4, Windows XP SP2, and Windows XP Professional x64 Edition. The fix also touches Windows Server 2003 SP1, Windows Server 2003 x64 Edition and Windows Server 2003 with SP1 for Itanium-based systems.

Meanwhile, the lone important fix deals with a potential Denial of Service hack that can lock administrators and users out of Windows Live OneCare, Microsoft Antigen, the Windows Defender security program, Microsoft Forefront and the standalone System Sweeper.

Two of the four patches will require a restart.

And in an initiative that began last month, Microsoft is referring IT pros and Windows Enterprise professionals to this knowledgebase article for a description of non-security and high priority updates on Microsoft Update, Windows Update and Windows Server Update Services. While this process doesn't exactly scream "user friendly," the support page is a comprehensive list of changes in content and deployment of updates.

This month's list features among other things, information on an upgraded Windows Malicious Software Removal Tool, Non-security updates for Windows Server 2008 and Windows Vista; as well as update info on Windows Server 2008 Dynamic Installer and Windows Vista Dynamic Installer. Rounding out that list is an update of the Windows Mail Junk E-mail Filter.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus