Getting back to business as usual, Microsoft released 10
security bulletins in June. Of the 10 updates, Microsoft has rated three as
critical, four as important, and three as moderate threats.

Details

Last time, I told you what you needed to know about Microsoft’s
three critical security
bulletins for June. This time, let’s look at the remaining seven bulletins,
classified as either important or moderate threats.

The four important bulletins are all remote code execution
threats. However, either because most systems don’t have the involved service
installed or because a successful attack requires active participation from the
user, Microsoft doesn’t consider them higher than important threats.

The remaining three bulletins pose an even lower-level
threat because they don’t allow the attacker to take over the vulnerable system
or even cause a lot of damage. However, it’s important to remember that even a
minor problem is critical if it affects your
organization’s system.

MS05-028

Microsoft
Security Bulletin MS05-028, “Vulnerability in Web Client Service Could
Allow Remote Code Execution,” fixes a Web client vulnerability (CAN-2005-1207).

Applicability

  • Windows
    XP Service Pack 1
  • Windows
    XP 64-bit Itanium editions
  • Windows
    Server 2003
  • Windows
    Server 2003 Itanium editions

Risk level
This is an important threat for Windows XP systems, and it is a moderate threat
for Windows Server 2003 systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

MS05-029

Microsoft
Security Bulletin MS05-029, “Vulnerability in Outlook Web Access for
Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks,” addresses
an issue with Outlook Web Access (CAN-2005-0563).

Applicability
This update only affects Microsoft Exchange Server 5.5 Service Pack 4.

Risk level
Microsoft has rated this as an important threat.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

MS05-030

Microsoft
Security Bulletin MS05-030, “Cumulative Security Update in Outlook
Express,” fixes an Outlook Express news reading vulnerability (CAN-2005-1213).

Applicability

  • Windows
    2000 SP3
  • Windows
    2000 SP4
  • Windows
    XP SP1
  • Windows
    XP 64-bit Itanium editions
  • Windows
    Server 2003
  • Windows
    Server 2003 Itanium editions
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

While this update affects Windows 98, Windows SE, and Windows
ME, Microsoft hasn’t provided a patch. The threat isn’t critical, and other
support has ended for these operating systems.

Risk level
Microsoft has rated this as an important threat for all affected systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

MS05-031

Microsoft
Security Bulletin MS05-031, “Vulnerability in Step-by-Step Interactive
Training Could Allow Remote Code Execution,” addresses a vulnerability
with interactive training (CAN-2005-1212).

Applicability

  • Windows
    2000 SP3
  • Windows
    2000 SP4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

While this update affects Windows 98, Windows SE, and
Windows ME, Microsoft hasn’t provided a patch. The threat isn’t critical, and
other support has ended for these operating systems.

Risk level
Microsoft has rated this as an important threat for all affected systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

MS05-032

Microsoft
Security Bulletin MS05-032, “Vulnerability in Microsoft Agent Could
Allow Spoofing,” addresses a threat with Microsoft Agent (CAN-2005-1214).

Applicability

  • Windows
    2000 SP3
  • Windows
    2000 SP4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

While this update affects Windows 98, Windows SE, and
Windows ME, Microsoft hasn’t provided a patch. The threat isn’t critical, and
other support has ended for these operating systems.

Risk level
This is a moderate threat for Windows 2000 and Windows XP systems, and it is a
low threat for Windows Server 2003 systems. Microsoft has deemed the threat as
not critical for Windows 98, Windows SE, and Windows ME.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

MS05-033

Microsoft
Security Bulletin MS05-033, “Vulnerability in Telnet Client Could
Allow Information Disclosure,” addresses a Telnet issue (CAN-2005-1205).

Applicability

  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Microsoft
    Windows Services for UNIX 2.2, 3.0, and 3.5 when running on Windows 2000

Risk level
This is a moderate threat for all affected systems.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

MS05-034

Microsoft
Security Bulletin MS05-034, “Cumulative Security Update for ISA Server
2000,” fixes an HTTP content header vulnerability (CAN-2005-1215)
and a NetBIOS predefined filter vulnerability (CAN-2005-1216).

Applicability
This update only affects Microsoft Internet Security and Acceleration (ISA)
Server 2000 SP2.

Risk level
Microsoft has rated both vulnerabilities as moderate threats.

Mitigating factors
For information about various mitigating factors, see the security bulletin.

Fix
Apply the update. For information about any workarounds, read the security
bulletin.

Final word

There simply wasn’t room in this week’s column to address all
of the various mitigating factors and workaround details for each security
bulletin. However, if any of these affect your organization, I recommend
reading the entire security bulletin to cover your bases.

In the wake of MasterCard’s recent security faux pas, which
apparently resulted in the exposure of 40 million credit card
accounts, Congress has finally awakened to the fact that this is actually
the 21st century and is contemplating taking some action. A new proposed bill
would criminalize some
privacy disclosure breaches for the executives of the responsible company.

Senate Judiciary Committee Chairman Arlen Specter and Senator
Patrick Leahy have introduced the bill, marking the first time a Republican has
supported such a measure. The senators have modeled the proposed legislation
after the current California privacy laws. Ironically, California’s lawmakers
are currently in the process of expanding protection beyond
electronic records to paper and taped files.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.