News

Microsoft Patch Day Brings 3 New Security Fixes

• By Scott Bekker
• February 10, 2004

Tuesday was Microsoft's monthly patch day, and the company marked the date with three new security bulletins, including one critical new bulletin for Windows. In all Microsoft bundled four security bulletins, including one it issued for Internet Explorer last week outside its normal patch cycle.

The new critical Windows bulletin (MS04-007) involves an unchecked buffer, which could lead to a buffer overflow. The flaw affects Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 and is rated critical across all the affected platforms.

The problem lies in the Microsoft Abstract Syntac Notation 1 (ASN.1) Library. Microsoft describes ASN.1 as a data standard used by applications and devices for allowing normalization and understanding of data across platforms. Windows NT 4.0 doesn't install the ASN.1 Library file by default, however, and the update may not be required for all Windows NT 4.0 systems.

Also critical is the bulletin for Internet Explorer, MS04-004, a cumulative bulletin for Internet Explorer that, among other things, aimed to fix the URL spoofing problem that enables a class of "phishing" scams. (See related story.) When it posted Feb. 2, MS04-004 was the first bulletin to be released outside of Microsoft's monthly patching cycle since the monthly program was introduced in October.

The patch day releases also include two security bulletins for vulnerabilities rated "important" by Microsoft.

One is a problem with the Windows Internet Naming Service (WINS) that could allow remote code execution. That vulnerability (MS04-006) affects supported versions of Windows servers but not Windows clients.

The other, MS04-005, is a problem in Microsoft Virtual PC for Mac.