News

Patch Tuesday: Three Security Bulletins, Two Critical

Microsoft released three security bulletins for Windows on Tuesday, its monthly date for patching security problems. Two of the security bulletins involve critical vulnerabilities that could allow an attacker to take complete control of a user's system over the Internet. The patches are especially important because both critical vulnerabilities had already been publicly disclosed.

The bulletins are Microsoft's first three for 2005, after posting 45 bulletins in 2004. In all, the bulletins from this week patch four discrete flaws.

Bulletin MS05-001 affects all supported versions of Windows, including Windows XP with Service Pack 2.

The flaw exists in the HTML Help ActiveX control in Windows. It can allow information disclosure or remote code execution. After it is applied, the patch may cause some Web-based applications to stop working properly. Individual Web sites that invoke the control must be enabled on a site-by-site basis.

While the flaw is critical for most platforms, it is rated as only moderate on Windows Server 2003.

Although Windows NT 4.0 is no longer supported by Microsoft as of Dec. 31, 2004 without a custom support contract, Microsoft did test the operating system and determined it was not vulnerable by default. However, users who have installed Internet Explorer 6.0 Service Pack 1 on Windows NT 4.0 are vulnerable. A separate patch is available to harden IE 6 SP1 against the flaw.

Bulletin MS05-002 affects all supported versions of Windows, except for Windows XP SP2. Microsoft also developed and is distributing freely a patch for Windows NT Server 4.0 and Windows NT Server 4.0 Terminal Server Edition, despite the end of extended support for NT 4 last year. (See related story).

The critical remote code execution vulnerability occurs because of a problem in cursor and icon formatting, and is critical for all affected platforms. The bulletin also includes a patch for a separate flaw in the Windows kernel that is rated as an important problem across the affected Windows platforms.

The third bulletin, MS05-003, involves a flaw in the Indexing Service that could allow remote code execution. Because the service is not enabled by default in the affected version of Windows, the vulnerability received an important rather than critical designation.

Versions of Windows that are vulnerable if the Indexing Service is turned on are Windows XP, Windows 2000 and Windows Server 2003. Windows XP SP2, Windows NT Server 4.0, Windows 98/98SE/ME are immune.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.