News

Office XP Bulletin Critical After All

Microsoft alerted users on Wednesday that the security bulletin it released the day before for Office XP is more severe than the software company's security experts originally thought.

Microsoft issued the bulletin MS04-009 on Tuesday with a rating of "important." But the bulletin was re-released on Wednesday with a "critical" rating, Microsoft's most severe designation. The bulletin was part of Microsoft's monthly bundle of patches, which have been released on the second Tuesday of each month since October. Three patches were released on Tuesday, the others involved a moderate flaw with Windows and a moderate flaw with MSN Messenger. (See story).

"This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th," a Microsoft spokesperson said. Microsoft officials say customers who applied the patch provided with the bulletin on Tuesday, or who applied Office XP Service Pack 3, are still protected against the flaw despite the change in the severity rating.

The original bulletin reported that the flaw allowed remote code execution because of a problem with the way Outlook 2002 parses specially crafted mailto URLs. An attacker would have to entice a victim to click on a malicious Web site or HTML e-mail.

The new attack vector affects users who set Outlook Today as their default folder and could allow a privilege elevation attack. In addition to the patch, which protects against the new attack vector, Microsoft also added a workaround to allow customers who cannot deploy the patch immediately to disable the use of the Outlook Today page.

Microsoft has issued 10 security bulletins so far in 2004, and four of them have been critical. Last year at this time, Microsoft had also issued 10 security bulletins, but five of those were critical.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.