Microsoft Plans Four Security Fixes For Upcoming Patch Tuesday

The critical flaws affect Microsoft Office, Microsoft Word, and Microsoft Windows respectively.

Thomas Claburn, Editor at Large, Enterprise Mobility

May 9, 2008

2 Min Read

Microsoft on Thursday said that it plans to release patches for four security vulnerabilities on Tuesday, May 13.

According to its Security Bulletin Advance Notification for May 2008, Microsoft said it will fix three critical vulnerabilities and one moderate vulnerability.

The critical flaws affect Microsoft Office, Microsoft Word, and Microsoft Windows respectively. The moderate vulnerability affects several Microsoft security products, including Windows Live OneCare, Antigen, Defender, and Forefront Security. The critical designation typically means that a vulnerability, if successfully exploited, could allow an attacker to execute malicious code remotely. The moderate designation indicates that a number of factors, such as the targeted system's configuration, make the vulnerability harder to exploit.

The critical Windows vulnerability involves the Microsoft Jet 4.0 Database Engine. In March, Microsoft issued a Security Advisory saying that it was "investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word."

The Microsoft Jet Database Engine makes data accessible to a variety of Microsoft and third-party applications, including Microsoft Access, Microsoft Visual Basic, and Information Services (IIS) applications.

According to Microsoft's Jet Security Advisory, versions of the Microsoft Jet Database Engine (msjet40.dll) lower than 4.0.9505.0 are vulnerable to a buffer overrun flaw. To exploit the flaw, an attacker would have to convince a user to open a Word file designed to load a database file that uses msjet40.dll.

"The Jet bulletin is the critical patch that will have the widest impact because it affects Windows XP, Windows 2000 and Windows Server 2003," said Lumension Security director of solutions and strategy Don Leatham in an e-mailed statement. "When prioritizing this month’s patches, this will probably get the most attention because of the number of organizations running these systems and programs."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights