Older platforms get the brunt of May patch activity

Internet Explorer, Microsoft Office and Microsoft Exchange Server are getting critical patches this month. Most, though not all, are on older versions of the software.

This month's round of fixes from Microsoft demonstrated once again that its new approach to trapping bugs and possible exploits, which it adopted for Microsoft Office 2007 and Windows Vista — the Software Development Lifecycle — continues to pay off.

Patch management extras
Microsoft releases WSUS 3.0

Patch with a plan in place

It still doesn't mean total immunity, though -- few potential security exploits for Internet Explorer 7 under Windows Vista and a few Microsoft Office 2007 products have surfaced. But the vast majority of the problems this time around are confined to earlier Microsoft products.

Although not everyone is affected equally by these problems, all of the patches have been rated as critical.

  • Five exploits have been discovered that affect Internet Explorer, with four of the five affecting Internet Explorer 7 under Windows Vista. The Uninitialized Memory Corruption Vulnerability problem that's addressed in this bulletin affects only Internet Explorer 6 or earlier, but don't take this as a sign that Internet Explorer 7 should not be patched.

  • A set of vulnerabilities that affects all of Microsoft Office is affecting some Microsoft Office 2007 products, although there's a Microsoft Word issue that affects only versions of Microsoft Word before 2007. Versions of Microsoft Works and Microsoft Word for the Macintosh are also affected.

  • A set of issues that affect Microsoft Exchange Server 2000 through 2007 is also being addressed, although two of the four issues don't affect Microsoft Exchange Server 2007 -- probably because of better programming practices.

  • An issue in the Cryptographic API has been dealt with, although the only major software affected by this is BizTalk 2004, and the conditions for the exploit are fairly rare.

  • Finally, Microsoft has finally fixed a problem with a vulnerability in Windows DNS Server's RPC system on Windows 2000 Server and Windows Server 2003. This issue made it possible to attack and take control of the Microsoft DNS service via the RPC remote-management function for DNS. Word about this has been circulating for some time, and a common workaround was to simply disable remote management via RPC for DNS through a Registry edit. If you edited the Registry as a workaround, those changes will not be undone when you apply this fix. You'll need to undo them yourself manually.

About the author: Serdar Yegulalp is editor of Windows Insight. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Read more on Operating systems software