Continuing its promise to release its most important security fixes on the second Tuesday of each month, Microsoft released security fixes yesterday--three for Windows (two critical) and one for Microsoft Office. In October, Microsoft began its new patch-release schedule in the wake of the MSBlaster and SoBig.F electronic attacks. This month's releases, however, were somewhat problematic for systems administrators at federal sites because yesterday was a US holiday. To alleviate these concerns, the Federal Computer Incident Response Center (FedCIRC) emailed many administrators at various US agencies to warn them the patches were coming. And Microsoft bundled together several patches to make rolling out the fixes easier. The three Windows patches fix eight vulnerabilities, for example.
"We included several patches in some of the fixes," Stephen Toulouse, security program manager for the Microsoft Security Response Center (MSRC), said. "We are trying to drive the deployment of fixes for our customers. It is one of the things our customers have asked us to do."
The Windows fixes involve several Microsoft Internet Explorer (IE) vulnerabilities, a security vulnerability in the Workstation service that could allow remote code execution, and various problems with digital certificates. These vulnerabilities affect Windows Server 2003, Windows XP, Windows 2000, Windows Me, and Windows NT 4.0. The Office fix addresses newly discovered problems in Microsoft Excel, Word, and Works Suite. That fix applies to Excel 2002, Excel 2000, and Excel 97; Word 2002, Word 2000, Word 98 (Macintosh), and Word 97; and Works Suite 2004, Works Suite 2003, Works Suite 2002, and Works Suite 2001. To find out more about the fixes, visit the Microsoft Security & Privacy Web site.