Original URL: https://www.theregister.com/2004/03/10/ms_march_patch_batch_low/

MS March patch batch low on peril

Moderate, important and moderate (none critical)

By John Leyden

Posted in Security, 10th March 2004 09:28 GMT

Microsoft's monthly patch train rolled through today bearing a cargo of fixes uncharacteristically low on the peril scale. Today we have patches for two moderate and one important security vuln.

First up, a Microsoft Outlook flaw could allow hackers to inject hostile code on PCs (MS04-009). The flaw stems from incorrect parsing of specially crafted "mailto" URLs by certain versions of Outlook. Users of Office XP and Outlook 2002 need to apply a Redmond-supplied band-aid to avoid the risk of being rooted should they visit a maliciously-constructed website.

Microsoft describes this fix as "important" - its second highest severity classification. Microsoft says that default installations of Outlook make exploitation difficult, hence a slightly lower risk assessment. Hmm.

Next up, there's a moderate vuln in Microsoft MSN Messenger (MS04-010). This creates a means for crackers to view files on a user's hard disk providing he knows the location of a file and a user's login details. Microsoft suggests a hacker would have to know a great deal about a user. But it is still pulling out the stops to get a fix out there.

An auto-update for MSN Messenger users begins early next week. However, the "Messenger team is working overtime to pull that date in closer", Microsoft's spin-doctors tell El Reg. Still concerned? If so, Updated MSN Messenger client software should be posted at the Messenger MSN home page later today.

Lastly, there's vulnerability in Windows Media Services component of Win 2K which carries a moderate DoS risk (MS04-008). ®