Office XP Bulletin Critical After All

Microsoft alerted users on Wednesday that the security bulletin it released the day before for Office XP is more severe than the software company's security experts originally thought.

Microsoft issued the bulletin MS04-009 on Tuesday with a rating of "important." But the bulletin was re-released on Wednesday with a "critical" rating, Microsoft's most severe designation. The bulletin was part of Microsoft's monthly bundle of patches, which have been released on the second Tuesday of each month since October. Three patches were released on Tuesday, the others involved a moderate flaw with Windows and a moderate flaw with MSN Messenger. (See story).

"This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th," a Microsoft spokesperson said. Microsoft officials say customers who applied the patch provided with the bulletin on Tuesday, or who applied Office XP Service Pack 3, are still protected against the flaw despite the change in the severity rating.

The original bulletin reported that the flaw allowed remote code execution because of a problem with the way Outlook 2002 parses specially crafted mailto URLs. An attacker would have to entice a victim to click on a malicious Web site or HTML e-mail.

The new attack vector affects users who set Outlook Today as their default folder and could allow a privilege elevation attack. In addition to the patch, which protects against the new attack vector, Microsoft also added a workaround to allow customers who cannot deploy the patch immediately to disable the use of the Outlook Today page.

Microsoft has issued 10 security bulletins so far in 2004, and four of them have been critical. Last year at this time, Microsoft had also issued 10 security bulletins, but five of those were critical.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft's Power Platform, Dynamics 365 Get AI Boost with Orions Systems Buy

    Microsoft this week acquired Orions Systems with plans to bring the firm's AI-powered video analysis solutions to the Dynamics 365 and Power Platform products.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Microsoft Partners with Movial To Bring Android to Surface

    Microsoft is adding more Android expertise to its in-house engineering teams via a deal with Movial, a software engineering and design services company based in Finland.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.