Microsoft

Get up to speed on Microsoft's June security bulletins

Microsoft released 10 security bulletins in June—three critical, four important, and three moderate threats. <a href='http://www.techrepublic.com/5100-1009_11-5754210.html' target='_blank'>Last time</a>, John McCormick brought you up to speed on the three critical updates. This time, he completes his coverage by offering the details on the remaining seven bulletins.

Getting back to business as usual, Microsoft released 10 security bulletins in June. Of the 10 updates, Microsoft has rated three as critical, four as important, and three as moderate threats.

Details

Last time, I told you what you needed to know about Microsoft's three critical security bulletins for June. This time, let's look at the remaining seven bulletins, classified as either important or moderate threats.

The four important bulletins are all remote code execution threats. However, either because most systems don't have the involved service installed or because a successful attack requires active participation from the user, Microsoft doesn't consider them higher than important threats.

The remaining three bulletins pose an even lower-level threat because they don't allow the attacker to take over the vulnerable system or even cause a lot of damage. However, it's important to remember that even a minor problem is critical if it affects your organization's system.

MS05-028

Microsoft Security Bulletin MS05-028, "Vulnerability in Web Client Service Could Allow Remote Code Execution," fixes a Web client vulnerability (CAN-2005-1207).

Applicability

  • Windows XP Service Pack 1
  • Windows XP 64-bit Itanium editions
  • Windows Server 2003
  • Windows Server 2003 Itanium editions

Risk level
This is an important threat for Windows XP systems, and it is a moderate threat for Windows Server 2003 systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

MS05-029

Microsoft Security Bulletin MS05-029, "Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks," addresses an issue with Outlook Web Access (CAN-2005-0563).

Applicability
This update only affects Microsoft Exchange Server 5.5 Service Pack 4.

Risk level
Microsoft has rated this as an important threat.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

MS05-030

Microsoft Security Bulletin MS05-030, "Cumulative Security Update in Outlook Express," fixes an Outlook Express news reading vulnerability (CAN-2005-1213).

Applicability

  • Windows 2000 SP3
  • Windows 2000 SP4
  • Windows XP SP1
  • Windows XP 64-bit Itanium editions
  • Windows Server 2003
  • Windows Server 2003 Itanium editions
  • Windows 98
  • Windows SE
  • Windows ME

While this update affects Windows 98, Windows SE, and Windows ME, Microsoft hasn't provided a patch. The threat isn't critical, and other support has ended for these operating systems.

Risk level
Microsoft has rated this as an important threat for all affected systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

MS05-031

Microsoft Security Bulletin MS05-031, "Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution," addresses a vulnerability with interactive training (CAN-2005-1212).

Applicability

  • Windows 2000 SP3
  • Windows 2000 SP4
  • All versions of Windows XP (including SP2 and 64-bit editions)
  • All versions of Windows Server 2003 (including Itanium editions)
  • Windows 98
  • Windows SE
  • Windows ME

While this update affects Windows 98, Windows SE, and Windows ME, Microsoft hasn't provided a patch. The threat isn't critical, and other support has ended for these operating systems.

Risk level
Microsoft has rated this as an important threat for all affected systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

MS05-032

Microsoft Security Bulletin MS05-032, "Vulnerability in Microsoft Agent Could Allow Spoofing," addresses a threat with Microsoft Agent (CAN-2005-1214).

Applicability

  • Windows 2000 SP3
  • Windows 2000 SP4
  • All versions of Windows XP (including SP2 and 64-bit editions)
  • All versions of Windows Server 2003 (including Itanium editions)
  • Windows 98
  • Windows SE
  • Windows ME

While this update affects Windows 98, Windows SE, and Windows ME, Microsoft hasn't provided a patch. The threat isn't critical, and other support has ended for these operating systems.

Risk level
This is a moderate threat for Windows 2000 and Windows XP systems, and it is a low threat for Windows Server 2003 systems. Microsoft has deemed the threat as not critical for Windows 98, Windows SE, and Windows ME.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

MS05-033

Microsoft Security Bulletin MS05-033, "Vulnerability in Telnet Client Could Allow Information Disclosure," addresses a Telnet issue (CAN-2005-1205).

Applicability

  • All versions of Windows XP (including SP2 and 64-bit editions)
  • All versions of Windows Server 2003 (including Itanium editions)
  • Microsoft Windows Services for UNIX 2.2, 3.0, and 3.5 when running on Windows 2000

Risk level
This is a moderate threat for all affected systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

MS05-034

Microsoft Security Bulletin MS05-034, "Cumulative Security Update for ISA Server 2000," fixes an HTTP content header vulnerability (CAN-2005-1215) and a NetBIOS predefined filter vulnerability (CAN-2005-1216).

Applicability
This update only affects Microsoft Internet Security and Acceleration (ISA) Server 2000 SP2.

Risk level
Microsoft has rated both vulnerabilities as moderate threats.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security bulletin.

Final word

There simply wasn't room in this week's column to address all of the various mitigating factors and workaround details for each security bulletin. However, if any of these affect your organization, I recommend reading the entire security bulletin to cover your bases.

In the wake of MasterCard's recent security faux pas, which apparently resulted in the exposure of 40 million credit card accounts, Congress has finally awakened to the fact that this is actually the 21st century and is contemplating taking some action. A new proposed bill would criminalize some privacy disclosure breaches for the executives of the responsible company.

Senate Judiciary Committee Chairman Arlen Specter and Senator Patrick Leahy have introduced the bill, marking the first time a Republican has supported such a measure. The senators have modeled the proposed legislation after the current California privacy laws. Ironically, California's lawmakers are currently in the process of expanding protection beyond electronic records to paper and taped files.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox