Get Your Patch On: Patch Tuesday Yields Five Critical Patches

by Alex Woodie

The first Patch Tuesday in two months came and went yesterday, and we're now left with eight new patches to fix more than a dozen new vulnerabilities in Microsoft products. Microsoft considers five of the patches to be "critical"--the most severe rating on the company's scale--and three of them to be "important." Windows server shops will be most concerned with critical vulnerabilities in the first release of Windows Server 2003 and Exchange Server 2000 Service Pack (SP) 3 that could allow attackers to take over machines.

In our modern age, the most significant thing a Windows user or Windows server administrator can do to keep their systems healthy is to keeping them up-to-date with the latest patches from Microsoft. While some security updates should be tested before being put into production (Windows XP SP2 comes to mind), users ignore these security updates at their own peril.

Now, let's take a look at this month's bounty of critical security patches from our Redmond, Washington, provider:

Microsoft Security Bulletin MS05-019 describes a series of critical vulnerabilities in Windows' TCP/IP stack that open the computers to remote code execution and denial of service (DOS) attacks. Affected operating systems include Windows Server 2003, Windows 2000 SPs 3 and 4, Windows XP SPs 1 and 2, two versions of Windows XP for Itanium (including 64-Bit Edition SP1 and 64-Bit Edition Version 2003), Windows Server 2003 for Itanium systems, and Windows 98/SE/ME.

Microsoft Security Bulletin MS05-020 is a cumulative update for Internet Explorer version 5 and 6 that rounds up several previously issued patches for critical errors, including the "DHTML Object Memory Corruption Vulnerability," the "URL Parsing Memory Corruption Vulnerability," and the "Content Advisory Memory Corruption Vulnerability," into a single patch for IE version 5.01 and 6.0 running on Windows Server 2003, Windows 2000 SPs 3 and 4, Windows XP SPs 1 and 2, two versions of Windows XP for Itanium (including 64-Bit Edition SP1 and 64-Bit Edition Version 2003), Windows Server 2003 for Itanium systems, and Windows 98/SE/ME.

Microsoft Security Bulletin MS05-021 fixes a critical buffer overflow flaw in some versions of Exchange Server 2000 that could allow an attacker to take over your server, or launch a DOS attack. The flaw affects Exchange Server 2000 and Exchange Server 2000 SPs 1 and 3 (but not SPs 2 and 4).

Microsoft Security Bulletin MS05-022 addresses a critical flaw in the GIF processing of MSN Messenger version 6.2 and the beta version of version 7.0 (but not version 7.0 sent to general release) that could allow an attacker to take over vulnerable machines.

Microsoft Security Bulletin MS05-023 fixes several buffer overflow problems in Word that could allow an attacker to take over an affected machine. This flaw is rated critical on Word 2001 and 2002, and is designated as important for Word 2003.

Included among the less severe vulnerabilities for which Microsoft announced patches for yesterday are:

Microsoft Security Bulletin MS05-016 fixes an important flaw in the Windows shell that could allow at attacker to remotely execute code by tricking a workstation or terminal server into starting the HTML Application Host component. Affected platforms include Windows Server 2003, Windows Server 2003 for Itanium, Windows 2000 SPs 3 and 4, Windows XP SPs 1 and 2, and two versions of Windows XP for Itanium (64-Bit Edition SP1 and 64-Bit Edition Version 2003).

Microsoft Security Bulletin MS05-017 fixes an important buffer overflow problem in the Message Queuing component of various Windows systems that could allow remote code execution. Messaging Queuing is not turned on by default, which should dampen this vulnerability's impact. Affected operating systems are Windows XP SP1, Windows 2000 SPs 3 and 4, Windows XP 64-Bit Edition SP1 (for Itanium), and Windows 98 and SE.

Microsoft Security Bulletin MS05-018 fixes several important problems in the Windows kernel--as well as Windows' font processing, and Client Server Runtime System (CSRSS) components--that could allow a hacker to gain elevation of privilege or launch a DOS attack against a vulnerable machine. This flaw affects Windows Server 2003, Windows 2000 SPs 3 and 4, Windows XP SPs 1 and 2, as well as the two Itanium versions of Windows XP (64-Bit Edition SP 1 and 64-Bit Edition Version 2003), and the Itanium version of Windows Server 2003.

This was the first round of patches issued by Microsoft since February 8, when the company issued the most patches at one time since it began its monthly patch release cycle last year (see "Patch Tuesday Yields Banner Crop of 12 Fixes, 8 of Them Critical"). The next batch of patches is due the second Tuesday of May, which is May 10.