Critical MS Exchange, Windows Patches on Tap

Microsoft plans to release three security bulletins on Tuesday, May 9, to cover several code execution flaws in Windows and the enterprise-facing Microsoft Exchange messaging and collaboration product.

The patches will carry a “critical” rating and will require a restart after installation, Microsoft said in its advance notification.

Microsoft typically applies a “critical” rating to high-priority vulnerabilities that can be exploited to allow the propagation of an Internet worm without any user action.

/zimages/6/28571.gifClick here to read more about recent fixes to Microsofts Internet Explorer.

Two of the three bulletins will provide fixes for flaws in the Windows operating system, and it is very likely that a cumulative Internet Explorer fix could be included.

Several major flaws in IE are on the waiting-for-fixes list.

Based on 85 advisories published by Secunia between 2003 and 2005, about 25 percent of IE bugs remain unpatched.

More than 40 percent of those advisories are serious enough to be used in system compromise attacks.

For example, according to eEye Digital Securitys upcoming advisories page, a Windows denial-of-service bug reported to Microsoft more than five months ago has not yet been fixed.

/zimages/6/84833.gifZiff Davis Media eSeminars invite: Join us on May 8 at 2 p.m. ET as security and identity management experts and Sun Microsystems look at how identity management provisioning can help lower TCO and realize ROI payback.

The third bulletin will apply to Microsoft Exchange, which is part of the software giants Windows Server System line of products. It is widely used in large enterprises to manage e-mail systems, shared calendars and tasks.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.