Fast and Furious: 4 Patches Out of Microsoft Wednesday Night
- By Scott Bekker
- October 03, 2002
Product pitches frequently allege that new security fixes come out of Microsoft on a daily basis. Most days that's an exaggeration.
Wednesday night, however, Microsoft made the hyperbole seem tame by posting four new security bulletins to its Web site. They involved critical vulnerabilities in SQL Server and the Windows Help Active X control and moderate vulnerabilities in three client versions of Windows and the Services for Unix 3.0 Interix SDK.
Microsoft issued its 54th, 55th, 56th and 57th security bulletins of 2002 on Wednesday night. The software giant is fast approaching the 60 bulletins it put out in all of 2001, but Microsoft is unlikely to surpass the 100 bulletins it issued in 2000. Altogether, the four bulletins included patches fixing 11 vulnerabilities. Four of the flaws represented critical problems.
MS02-054 addressed problems with an unchecked buffer in file decompression functions that could lead to code execution in Windows 98 with the Plus! pack, Windows Me and Windows XP. There were two vulnerabilities in the patch, both rating a "moderate" severity designation from Microsoft.
MS02-055 included a patch that fixed the critical buffer overrun flaw in the Windows Help ActiveX control as well as a moderate vulnerability offering attackers potential code execution through compiled HTML Help files. Those flaws affect every supported Windows client operating system from Windows 98 to Windows XP.
MS02-056 contains three fixes for critical problems in SQL Server and MSDE and another fix changing the way SQL Server operates. While Microsoft frequently issues patches to fix multiple problems, it is extremely rare for a patch to address more than one critical vulnerability -- let alone three. See related story.
MS02-057 has a patch that corrects three vulnerabilities of moderate severity in the Sun RPC library in Microsoft’s SFU 3.0 on the Interix software development kit.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.