Microsoft Issues Several Windows Security Patches

by Timothy Prickett Morgan

Microsoft announced four security patches for several generations of its Windows desktop and server platforms yesterday. Three of the patches are "critical," which is the highest level of importance that Microsoft gives to a patch. One of them is rated as "important," which is one notch down from critical, but a machine can be vulnerable if the patch is not applied.

Because keeping systems up to date is such a pain, Microsoft has moved to patching its software on a monthly basis. In fact, the four security patches announced yesterday are 20 individual patches that have been collected into four groups and given an aggregate threat-level rating. Here's the lowdown on the security updates, which you can apply through Microsoft's automated Windows Update function or manually through its security bulletin site.

Security Bulletin MS04-011, update number 835732. Status: critical. This is a collection of fourteen patches to as many security holes, which allow a remote hacker to gain access to a machine, elevate system privileges, or allow Windows to be the unwitting victim of a denial-of-service attack. Collectively, these patches affect Windows NT 4.0 Server (including the Terminal Server variant), Windows 2000 Server (all editions), and Windows 2003 server (all editions), as well as Windows NT 4.0 Workstation and Windows XP (all variants). Windows 98 and Windows ME are also exposed by two of the fourteen security holes in this rollup. Only three of the fourteen patches in this collection rise to the critical level on Windows 2003, compared with five for Windows 2000 and three for Windows NT. The holes are not in any one place, and include potential breaches in LDAP, SSL, log on, and other core components of Windows.

Security Bulletin MS04-012, update number 828741. Status: Critical. This update is comprised of four patches, three of which plug holes in the Remote Procedure Call (RPC) section of Windows, which is a Unix function that has long since been pulled into Windows. Another one fixes a Distributed COM (DCOM) hole that can inadvertently disclose information about network ports and allow hackers to create rogue programs to open ports. These patches replace some existing security patches. Windows NT 4.0 is only given a low priority for these patches, while Windows 2000, 2003, and XP rate these collectively as a critical patch. (One critical patch in a group makes the whole group critical, using the "one bad apple" approach Microsoft has taken.)

Security Bulletin MS04-013, update number 837009. Status: critical. This collection of patches fills security holes in Outlook Express, which is installed by default on all Windows machines. It affects Outlook Express 5.5 SP2, Outlook Express 6, and Outlook Express 6 SP1 for 32-bit and 64-bit Windows platforms. This hole could allow a specially crafted MHTML URL embedded in an e-mail to include malicious code that can be activated and run on a Windows box; Microsoft warns that this hole could allow a hacker to take complete control of the machine.

Security Bulletin MS04-014, update number 837001. Status: important. The Jet Database Engine, which is a cut-down version of the Microsoft Access database that uses SQL and Visual Basic to create program logic to access it. Microsoft says that there is a buffer overrun vulnerability that, if exploited, could allow a hacker to take over a machine, install programs, add or remove data, or create new accounts on the system.

If history is any guide, the malicious hackers who understand all of this code (who are relatively few in number) are at this very moment trying to figure out how to automate exploits to these security holes. Once these exploits are automated, then newbie and wannabe hackers will download the exploits, tweak them, and unleash them on the world. Get your systems patched, people.