Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: FW: Microsoft Security Update
From: Paul Tinsley <pdt () jackhammer org>
Date: Thu, 04 Sep 2003 22:59:02 -0500

Just FYI, that is by design, Microsoft releases security bulletins on Wednesdays and has a conference call with some of their bigger customers on Thursdays to discuss the concerns their "heavy hitters" might have.

The one thing I would like to share about MS03-037 that may help clear up some confusion. It states: "When Microsoft Word is being used as the HTML e-mail editor in Outlook, a user would need to reply to or forward a malicious e-mail document sent to them in order for this vulnerability to be exploited." The reason for this is that word doesn't really "kick in" until you have taken the email into an editing mode, by opening a reply or forward window. You don't actually have to complete the forward or reply action, simply hitting reply or forward is enough.

So watch out for viruses offering free stuff to the next 20 people that reply :(

Thor Larholm wrote:

I see a trend going on here, Word, Office, Office, Office and Office. I
guess Office has been overdue in regards to security bulletins lately :)

MS03-034 (NetBIOS information disclosure) gets a rating of Low, even though
Blaster showed us just how many Windows installations run with all ports
accessible.

It's surprising that MS03-035 (circumventing Office Macro security) and
MS03-036 (BO in WordPerfect Converter) got ratings of Important rather than
Critical, I guess the bulletins are waiting for some autoamtic exploit to
surface before revision.

At least MS03-037 (VBA code execution) got a proper Critical rating.

MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control) got
a rating of Moderate for webpage based exploits but completely forgets to
mention HTML email.

Lots of different ratings and lots of details to consider before system
administrators can decide when to apply these patches, but we really want
simplicity over complexity. I would still prefer 2 ratings instead of 4,
Apply Now or Apply Later - with the latter heading for the bi-weekly patch
job. Let's face it, rolling out patches in a big corporation on an almost
daily basis is just not very effective or economical.

Which leads to the positive side, it is definitely great to see Microsoft
releasing 5 vulnerabilities in a single day, rather than releasing a new
every other day. They must have listened to the feedback from administrators
who tired of inefficient and constant patch jobs, and should definitely
adhere to this practice in the future. It may be a small step in optimizing
the entire patch process, but it's a positive trend.

If there is anything we have learnt in the months behind us it is that
producing patches is the least of our worries in security, getting
administrators and endusers to actually apply those patches is an entirely
different ballgame.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher



-----Original Message-----
From: Microsoft
[mailto:0_51922_1B06CAE9-7FDB-4EFF-B651-1869EADE5F25_DK () Newsletters Micr
osoft.com]
Sent: 3. september 2003 23:46
To: thor () pivx com
Subject: Microsoft Security Update


-----BEGIN PGP SIGNED MESSAGE-----

THE MICROSOFT SECURITY UPDATE NEWSLETTER

September 3, 2003

The Microsoft Security Update Newsletter for home users
and small businesses provides information on security-related
updates to Microsoft(R) products, as well as virus alerts
and resources for more information on security issues.

You have received this update as a subscriber to the Microsoft
Security Update Newsletter. To cancel your subscription, follow
the instructions at the bottom of this page.
__________________________________________________

SECURITY BULLETIN MS03-034

Security Update for Microsoft Windows
http://go.microsoft.com/?linkid=237617

SEVERITY
Low

WHY WE ARE ISSUING THIS UPDATE
A security issue has been identified in Microsoft Windows(R)
that could allow an attacker to see information in your computer's
memory over a network. You can help protect your computer by
installing this update from Microsoft.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Windows NT(R) Server 4.0
Windows NT Server 4.0 Terminal Server Edition
Windows 2000
Windows XP
Windows Server(TM) 2003
__________________________________________________

SECURITY BULLETIN MS03-035

Security Update for Microsoft Word
http://go.microsoft.com/?linkid=237618

SEVERITY
Important

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Word(R) could allow an
attacker to compromise a Microsoft Windows-based system and then
take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Word 97, 98(J), 2000, and 2002
Works Suite 2001, 2002, and 2003
__________________________________________________

SECURITY BULLETIN MS03-036

Security Update for Microsoft Office
http://go.microsoft.com/?linkid=237619

SEVERITY
Important

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Office could allow an
attacker to compromise a system using Microsoft Office and then
take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Office 97, 2000, and XP
Word 98(J)
FrontPage 2000 and 2002
Publisher 2000 and 2002
Works Suite 2001, 2002, and 2003
__________________________________________________

SECURITY BULLETIN MS03-037

Security Update for Microsoft Visual Basic for Applications
http://go.microsoft.com/?linkid=237620

SEVERITY
Critical

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Visual Basic(R) for
Applications could allow an attacker to compromise a Windows-based
system and then take a variety of actions. For example, an attacker
could read files on your computer or run programs on it. By
installing this update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Visual Basic for Applications SDK 5.0, 6.0, 6.2, and 6.3
Office 97, 2000, and XP
Word 98(J)
Visio 2000 and 2002
Project 2000 and 2002
Publisher 2002
Works Suite 2001, 2002, and 2003
Business Solutions Great Plains 7.5
Business Solutions Dynamics 6.0 and 7.0
Business Solutions eEnterprise 6.0 and 7.0
Business Solutions Solomon 4.5, 5.0, and 5.5
__________________________________________________

SECURITY BULLETIN MS03-038

Security Update for Microsoft Access and Access Snapshot Viewer
http://go.microsoft.com/?linkid=237621

SEVERITY
Moderate

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Access and the downloadable
Access Snapshot Viewer could allow an attacker to compromise a system
using Microsoft Office or the Microsoft Access Snapshot Viewer and
then take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Access  97, 2000, and 2002
__________________________________________________
<snip rest>




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]