Microsoft to fix F1 bug

Microsoft, which will be fixing 25 security vulnerabilities in all, made the announcement through its Advance Notification Service late last week. It will release 11 bulletins addressing vulnerabilities in Windows, Microsoft Office, and Microsoft Exchange.

The F1 bug was announced at the beginning of March. Detailed in Microsoft security advisory 981169, it concerned a vulnerability in VBScript, exposed on supported versions of Windows 2000, XP, and Windows Server 2003 via Internet Explorer. Windows 7, Windows Server 2008, and Windows Vista are immune to the bug, which allows arbitrary code to be remotely executed on a compromised system.

Also to be fixed is the security flaw announced in Microsoft security advisory 977544: 'Vulnerability in SMB could allow denial of service'. This vulnerability, published in mid-November last year, allows Microsoft's Server Message Block protocol to be exploited to stop a user's system from responding until manually restarted.

Of the 11 Microsoft patches to be issued tomorrow, five are critical and involve remote code execution, and four require a restart. "Overall, April's Patch Tuesday Bulletin will address at least two critical vulnerabilities for every popular Microsoft platform in use today, so the impact will be widespread regardless of what operating systems companies are currently running," said Don Leatham, senior director of solutions and strategy, for security company Lumension. "This means that IT departments will have to address and patch almost every machine in the organization."

When making the advanced notification, Microsoft's group manager for response communications, Jerry Bryant, also reminded users that Windows XP Service Pack 2 will no longer be supported after July 13. "Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible," he suggested. Microsoft is also ceasing extended support for Windows 2000 on July 13, and will not provide any security updates for the operating system from that point onward.

What’s hot on Infosecurity Magazine?