Two software patches released by Microsoft last week caused problems on foreign language versions of the Windows operating system and Exchange e-mail server, only weeks after the company streamlined its patch distribution strategy.
On Wednesday, Microsoft issued "major revisions" to the two patches, MS03-045 and MS03-047, which included new patches for affected customers and additional instructions to get the patches to stick on vulnerable systems.
Security bulletin MS03-045 concerns a buffer overrun vulnerability in a component of most supported versions of Windows. Microsoft rated the issue "important", but not critical.
If left unpatched, the security hole would allow any person with a valid user login and password for an affected system to take total control of that machine and run malicious code on it. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-045.asp.)
After releasing the bulletin and the associated patches, Microsoft discovered compatibility problems between the patch and third-party software on systems running foreign language editions of Windows 2000 with Service Pack 4.
Russian, Spanish and Italian versions of Windows 2000 were affected, as well as a number of other languages, including Czech, Finnish and Turkish.
Security bulletin MS03-047 was rated "Moderate" and described a cross-site scripting vulnerability in Exchange Server 5.5, Service Pack 4. If left unpatched, the problem could allow a remote attacker to send a user on a vulnerable system an e-mail message containing an embedded web link to trick victims into running a computer script of the attacker's choice. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-047.asp.)
Microsoft discovered the patch did not work for some customers who installed foreign language versions of Outlook Web Access, an Exchange service which enables e-mail users to access their Exchange mailbox using a web browser instead of the Outlook mail client.
While customers running English, German, French and Japanese versions of OWA were covered by the original patch, those running OWA in other languages need to apply the re-released version, Microsoft said.
The backtracking came after Microsoft Chief Executive Officer Steve Ballmer introduced a new, streamlined approach to distributing software patches two weeks ago. Citing complaints from customers about the difficulty of staying on top of weekly security patches from the company, Ballmer said that Microsoft would switch from a weekly to a monthly patch release schedule, unless it felt that customers were in imminent danger of attack from a known product vulnerability.
Last week, Microsoft released the first of its monthly bulletins containing patches for four critical holes in the Windows operating system and one critical flaw in Exchange, in addition to the lower-rated vulnerabilities it rereleased this week.
Paul Roberts writes for IDG News Service