Microsoft posts 'revisions' to security bulletins

IDG News Service - Two software patches Microsoft Corp. released last week caused problems on foreign language versions of the Windows operating system and Exchange e-mail server. As a result, Microsoft yesterday issued "major revisions" to the two patches, MS03-045 and MS03-047, that included new patches for affected customers and additional instructions to get the patches to stick on vulnerable systems.
Microsoft officials weren't immediately available to comment today.
Security bulletin MS03-045 concerns a buffer overrun vulnerability in a component of most supported versions of Windows. Microsoft rated the issue "important" but not critical. If left unpatched, the security hole would allow any person with a valid user log-in and password for an affected system to take total control of that machine and run malicious code on it.
After releasing the bulletin and the associated patches, Microsoft discovered compatibility problems between the patch and third-party software on systems running foreign language editions of Windows 2000 with Service Pack 4, Microsoft said.
Russian, Spanish and Italian versions of Windows 2000 were affected, in addition to versions in a number of other languages, including Czech, Finnish and Turkish, Microsoft said.
Security bulletin MS03-047 was rated "moderate" and described a cross-site scripting vulnerability in Exchange Server 5.5, Service Pack 4. If left unpatched, the problem could allow a remote attacker to send a user on a vulnerable system an e-mail message containing an embedded Web link to trick victims into running a computer script of the attacker's choice, Microsoft said.
Microsoft said it discovered that the patch didn't work for some customers who installed foreign language versions of Outlook Web Access (OWA), an Exchange service that enables e-mail users to access their Exchange mailboxes using a Web browser instead of the Outlook mail client.
While customers running English, German, French and Japanese versions of OWA were covered by the original patch, those running OWA in other languages need to apply the rereleased version, Microsoft said.
The move came two weeks after Microsoft CEO Steve Ballmer introduced a new, streamlined approach to distributing software patches. Citing complaints from customers about the difficulty of staying on top of weekly security patches from the company, Ballmer said Microsoft would switch from a weekly to a monthly patch release schedule unless it felt that customers were in imminent danger of attack from a known product vulnerability.
Last week, Microsoft released the first of its monthly bulletins containing patches for four critical holes in the Windows operating system and one critical flaw in Exchange, in addition to the patches it rereleased this week for the lower-rated vulnerabilities.