Microsoft Issues Patches For Software Flaws In Security BulletinMicrosoft Issues Patches For Software Flaws In Security Bulletin

Microsoft on Wednesday issued two security bulletins that fix seven security flaws, five of which the software maker ranked as critical, its most severe rating. It's the first round of security bulletins issued under Microsoft's new policy of releasing patches on a monthly schedule whenever possible.

The Microsoft Exchange Server Security Bulletin Summary for October addresses two vulnerabilities in that application; one was ranked critical and the other moderate. The critical vulnerability affects Exchange Server 5.5 and Exchange 2000 Server. According to Security Bulletin MS03-046, this vulnerability could let an attacker execute malicious code on a vulnerable system. The moderate vulnerability, addressed in Security Bulletin MS03-047, could allow what's known as a cross-site scripting attack on Exchange Server 5.5. A cross-site scripting attack is generally when an attacker creates a hyperlink with malicious data enclosed that could be embedded in an E-mail, a Web site, or an instant message. The attacker must convince the user to click on that link, which will bring the user to a Web page that could pose a security threat.

Microsoft disclosed five Windows vulnerabilities, four of which are ranked critical and would allow the execution of remote code.

"While it may appear confusing at first, I think Microsoft switching to the monthly announcements is an overall plus for corporations trying to manage their resources to dedicate toward patching," says John Pescatore, research director at Gartner.

Here's a listing of the vulnerabilities announced Wednesday. More information is available at www.microsoft.com/security:

• MS03-047: Vulnerability in Exchange Server 5.5 Outlook Web Access could allow cross-site scripting attack (828489)

• MS03-046: Vulnerability in Exchange Server could allow arbitrary code execution (822363)

• MS03-045: Buffer overrun in the ListBox and in the ComboBox Control could allow code execution (824141)

• MS03-044: Buffer overrun in Windows Help and Support Center could lead to system compromise (825119)

• MS03-043: Buffer overrun in Messenger Service could allow code execution (828035)

• MS03-042: Buffer overflow in Windows Troubleshooter ActiveX Control could allow code execution (826232)

• MS03-041: Vulnerability in Authenticode Verification could allow remote code execution (823182)