News

Microsoft Releases 10 Security Bulletins

Microsoft's monthly bundle of patches for June is one of the biggest since the company switched to a monthly patching cycle, and it brings fixes for 12 vulnerabilities, including three critical issues.

The Microsoft Security Response Center posted the patches on Tuesday in 10 security bulletins: numbered MS05-025 through MS05-034 . To fix the flaws across its massive matrix of supported operating systems and applications, the company posted 49 different patches to the Microsoft Download Center Monday night and Tuesday morning.

Six of the bulletins addressed flaws that could allow an attacker to take control of a vulnerable system over the Internet. Two of the flaws were public prior to Microsoft releasing a patch, but neither of those issued involved a critical flaw.

The majority of the bulletins, eight, covered problems in the Windows operating system. Individual bulletins addressed issues in such Windows components as Internet Explorer, HTML Help, the Microsoft Agent, the Web Client service, Server Message Block and Telnet.

Three of the Windows bulletins covered critical flaws -- the one for Internet Explorer, the one for HTML Help and the one covering Server Message Block. The HTML Help flaw was also critical for Windows 98/98SE/ME, triggering patches for those older platforms.

Aside from Windows, Microsoft released cumulative updates for Internet Security & Acceleration Server 2000 and for Outlook Express. Security updates also hit for Exchange Server 5.5 and for Services for Unix. The SFU vulnerability is related to the Telnet flaw that affects Windows.

Altogether, Microsoft issued three critical bulletins, four important bulletins and three moderate bulletins on Tuesday.

The Internet Explorer bulletin (MS05-025) and the ISA Server bulletin (MS05-034) each dealt with two flaws. The second IE flaw is moderate in severity and could allow an information disclosure if exploited. Details of that flaw made it onto the Web before Microsoft released the patch, but neither proof of concept code nor known abuse of the flaw have surfaced so far, according to Microsoft.

Both flaws in the ISA Server bulletin allow elevation of privilege, although one of them also involves cache poisoning too. Known within the broader security community as "HTTP smuggling," the vulnerability was also already public before Tuesday. Again, Microsoft says it has not seen public proof of concept code or received reports that the flaw is being abused. The other problem fixed in the ISA Server patch was not made public before Tuesday.

Because Microsoft Small Business Server 2000 and Microsoft Small Business Server 2003 Premium Edition include ISA Server 2000, the ISA Server patch is intended for those server product as well. ISA Server 2004 is not affected by the vulnerabilities.

Microsoft's June security summary, which includes links to each of the individual security bulletins, is available at http://www.microsoft.com/technet/security/bulletin/ms05-jun.mspx.

See also, A Look at the Microsoft Security Response Center's Playbook.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.