Microsoft has not released any new security bulletins since the last
issue of Brian’s Buzz was sent out. The company probably won’t issue any more
such bulletins until its next regularly scheduled announcement on April 13,
which is the second Tuesday of this month.
I wrote in the Mar. 11 issue of Brian’s Buzz about three security
bulletins that Microsoft released as part of its normal monthly update
schedule on Mar. 9.
MS04-009 (828040): Microsoft has announced a security weakness
in Outlook 2002, which is available separately as well as in Office XP, that
can allow an attacker to take control of a PC if a malicious Web page
or e-mail message is viewed.
Security researchers have published a warning that
most versions of Microsoft’s Internet Explorer have flaws that allow an
attacker to “listen” to username/password strings when a connection to a ”
secure” Web site is begun.
Microsoft announced on Feb. 10, as part of its regular monthly patch
schedule, a major security hole affecting Windows NT, 2000, XP, and to some
extent 2003. Experts are calling the new problem a more dangerous
threat to PCs than other virus epidemics such as Code Red.
since the ones that
I discussed in the
paid version of Brian’s Buzz. For this reason, I have no alerts to tell you
about in today’s issue. The next expected release of bulletins
from Microsoft will be on Feb. 10 and will be analyzed in the Feb. 12
Microsoft had planned to terminate all technical support for Windows 98
on Jan. 16, 2004, and support for
Windows Me on Dec. 31, 2004. But an outcry from users, especially in
developing countries where most people don’t upgrade their software as
quickly, led Microsoft into a rare change of heart.
Reuters reports that 20% of all Windows-based PCs worldwide run
Windows 98 or the even older Windows 95.
By laying out a linked series of six simple hacker techniques, a
volunteer researcher has shown that a Trojan horse
program can be deposited and run on a PC if a user merely views
a Web page in Internet Explorer 6 – even with all of Microsoft’s
latest service packs and security patches installed.
In keeping with its new policy of trying to release new security patches
only once a month instead of weekly (as I described in a
special report in the Nov.
6 paid version of Brian’s Buzz), Microsoft on Nov. 11
released two Windows patches rated “critical” and one rated “important.”
Microsoft has made what I consider the most significant changes in
its security-bulletin release policy since the beginning of security
bulletins. Instead of sending out Windows patches every week, as has
until recently been the case, the Redmond software giant now plans to
circulate new patches only once a month, on the 2nd Tuesday of each
month. (If a worm is running loose “in the wild,” Microsoft says it will
release a special patch immediately.)