April 13, 2004 - Today Microsoft released the following Security Bulletins

[PA Bear]

April 13, 2004
Today Microsoft released the following Security Bulletins.

Note: www.microsoft.com/technet/security and www.microsoft.com/security are
authoritative in all matters concerning Microsoft Security Bulletins! ANY
e-mail, web board or newsgroup posting (including this one) should be
verified by visiting these sites for official information. Microsoft never
sends security or other updates as attachments. These updates must be
downloaded from the microsoft.com download center or Windows Update. See the
individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft
security notices, it is recommended that you physically type the URLs into
your web browser and not click on the hyperlinks provided.

Bulletin Summaries:

Windows: http://www.microsoft.com/technet/security/Bulletin/winapr04.mspx

Critical Bulletins:

MS04-011 - Security Update for Microsoft Windows (835732
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

MS04-012 - Cumulative Update for Microsoft RPC/DCOM (828741)
http://www.microsoft.com/technet/security/Bulletin/MS04-012.mspx

MS04-013 - Cumulative Security Update for Outlook Express (837009)
http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx

Important Bulletins:

MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow
Code Execution (837001)
http://www.microsoft.com/technet/security/Bulletin/MS04-014.mspx

Re-Released Bulletins: The following bulletins have been re-released to
advise of the availability of updates for various versions of Microsoft
Exchange Server. Please see the bottom of each bulletin for revision
information.

MS00-082 - Patch Available for 'Malformed MIME Header' Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS00-082.mspx

MS01-041 - Malformed RPC Request Can Cause Service Failure
http://www.microsoft.com/technet/security/Bulletin/MS01-041.mspx

MS02-011 - Authentication Flaw Could Allow Unauthorized Users To
Authenticate To SMTP Service
http://www.microsoft.com/technet/security/Bulletin/MS02-011.mspx

MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary Code
Execution (829436)
http://www.microsoft.com/technet/security/Bulletin/MS03-046.mspx
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

 

[Dapper Dan]

Thanks for providing Microsoft's Security Bulletins, PA Bear. Unless I
am misreading these summaries, only MS04-013 (# 837009) seems to apply
to Win 98 and/or Me. Or have I misread yet again ??

Dan

April 13, 2004
Today Microsoft released the following Security Bulletins.

Note: www.microsoft.com/technet/security and

www.microsoft.com/security are

 

[PA Bear]

Check 'em out.

No, don't, just go to Windows Update and see what's offered you.

 

[Stefano Maida]

Thanks for providing Microsoft's Security Bulletins, PA Bear. Unless I
am misreading these summaries, only MS04-013 (# 837009) seems to apply
to Win 98 and/or Me. Or have I misread yet again ??

Download also the one for Outlook Express.

 

[Dapper Dan]

I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[=?iso-8859-2?Q?Ivan_B=FAtora?=]

As far as I can tell, 831167 is a post-cumulative update for IE 6 that patches some issues caused by 832894. It has been available for download for a while now (although not from Windows Update), and should be included in the next cumulative security patch for IE.

As for MS04-011, MS04-012, and MS04-014, there are vulnerabilities there that *do* affect Windows 98/98SE/Me, but are not considered critical, and therefore will not be publicly released. Microsoft has again updated its support policy at http://support.microsoft.com/default.aspx?pr=LifeAn1. The deal is now this: MS will release (and put on Windows Update) *critical* security patches. Non-critical security patches will have to be requested manually. (Question: Where and how do I do that?)

Artwilder, the patch that you tested on your machine is now included in MS04-011.

Greetings,

Ivan



I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[PA Bear]

A lot depends on IE6-SP1 being installed.

Q831167 was available separately shortly after MS04-004 was released in
February. I needed it for Win98 box but not for WinXP. YMMV.

 

[Val - Microsoft [.NOT MVP]]

dd;

Maybe if you and PAbear cross-posted to 60 or 70 more NG's the answer would be more forthcoming (or maybe it would just add to the mvNOTpee post count....but who's counting?)

--
val
micro$oft {dot.NOT.dot.NET.dot.NEVER} - mvp (since 1950)
hyperlinks used because they can be;
html posting encouraged;
bottom posters generally ignored as this is an "OE zone"
I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[=?Windows-1252?Q?Ivan_B=FAtora?=]

What are you complaining about again? Except perhaps for the msn group, the issues PA Bear posted about are relevant for all of the groups that he sent it to.



dd;

Maybe if you and PAbear cross-posted to 60 or 70 more NG's the answer would be more forthcoming (or maybe it would just add to the mvNOTpee post count....but who's counting?)

--
val
micro$oft {dot.NOT.dot.NET.dot.NEVER} - mvp (since 1950)
hyperlinks used because they can be;
html posting encouraged;
bottom posters generally ignored as this is an "OE zone"
I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[=?iso-8859-2?Q?Ivan_B=FAtora?=]

Artwilder,

the security bulletins, linked to by PA Bear in his post, discuss the vulnerabilities that are fixed by the respective patches. I believe the patches are tested if they are listed as available for the given OS. (Although what exactly regression testing means somewhat mystifies me.)
As for the MS security hotline, is this to be reached at (800) 936-5700, or is there some different number? Do they give you a link to download the given patch?

Ivan



Ivan, are these three patches also non-regression patches that need to be tested? Do you have the web links that explain what they fix? Finally, in regards to your question, you can call the Microsoft security hotline and request the non-critical patches manually. That is how I got the patch to install and test on my machine. Just tell them what you want and if it is in regards to security you will get the hotfix for free.

As far as I can tell, 831167 is a post-cumulative update for IE 6 that patches some issues caused by 832894. It has been available for download for a while now (although not from Windows Update), and should be included in the next cumulative security patch for IE.

As for MS04-011, MS04-012, and MS04-014, there are vulnerabilities there that *do* affect Windows 98/98SE/Me, but are not considered critical, and therefore will not be publicly released. Microsoft has again updated its support policy at http://support.microsoft.com/default.aspx?pr=LifeAn1. The deal is now this: MS will release (and put on Windows Update) *critical* security patches. Non-critical security patches will have to be requested manually. (Question: Where and how do I do that?)

Artwilder, the patch that you tested on your machine is now included in MS04-011.

Greetings,

Ivan



I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[PCR]

Same here on this Win98SE, IE6 SP1, fully updated & taking two more.
Thanks, Dapper & PA.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| I did check them out PA and my reading suggested that only one
| applied and that's why I asked for your guidance. I have since visited
| the site and it confirms KB 837009 for Win 98, however it also
| includes KB 831167 which wasn't on the list.
| Thanks
|
|
| | > Check 'em out.
| >
| > No, don't, just go to Windows Update and see what's offered you.
| > --
| > ~PA Bear
| >
| > Dapper Dan wrote:
| > > Thanks for providing Microsoft's Security Bulletins, PA Bear.
| Unless I
| > > am misreading these summaries, only MS04-013 (# 837009) seems to
| apply
| > > to Win 98 and/or Me. Or have I misread yet again ??
| > >
| > > Dan
| > >
| > > | > >> April 13, 2004
| > >> Today Microsoft released the following Security Bulletins.
| > >>
| > >> Note: www.microsoft.com/technet/security and
| www.microsoft.com/security
| > >> are authoritative in all matters concerning Microsoft Security
| > >> Bulletins! ANY e-mail, web board or newsgroup posting (including
| this
| > >> one) should be verified by visiting these sites for official
| > >> information. Microsoft never sends security or other updates as
| > >> attachments. These updates must be downloaded from the
| microsoft.com
| > >> download center or Windows Update. See the individual bulletins
| for
| > >> details.
| > >>
| > >> Because some malicious messages attempt to masquerade as official
| > >> Microsoft security notices, it is recommended that you physically
| type
| > >> the URLs into your web browser and not click on the hyperlinks
| provided.
| > >>
| > >> Bulletin Summaries:
| > >>
| > >> Windows:
| > > http://www.microsoft.com/technet/security/Bulletin/winapr04.mspx
| > >>
| > >> Critical Bulletins:
| > >>
| > >> MS04-011 - Security Update for Microsoft Windows (835732
| > >> http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
| > >>
| > >> MS04-012 - Cumulative Update for Microsoft RPC/DCOM (828741)
| > >> http://www.microsoft.com/technet/security/Bulletin/MS04-012.mspx
| > >>
| > >> MS04-013 - Cumulative Security Update for Outlook Express
| (837009)
| > >> http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx
| > >>
| > >> Important Bulletins:
| > >>
| > >> MS04-014 - Vulnerability in the Microsoft Jet Database Engine
| Could Allow
| > >> Code Execution (837001)
| > >> http://www.microsoft.com/technet/security/Bulletin/MS04-014.mspx
| > >>
| > >> Re-Released Bulletins: The following bulletins have been
| re-released to
| > >> advise of the availability of updates for various versions of
| Microsoft
| > >> Exchange Server. Please see the bottom of each bulletin for
| revision
| > >> information.
| > >>
| > >> MS00-082 - Patch Available for 'Malformed MIME Header'
| Vulnerability
| > >> http://www.microsoft.com/technet/security/Bulletin/MS00-082.mspx
| > >>
| > >> MS01-041 - Malformed RPC Request Can Cause Service Failure
| > >> http://www.microsoft.com/technet/security/Bulletin/MS01-041.mspx
| > >>
| > >> MS02-011 - Authentication Flaw Could Allow Unauthorized Users To
| > >> Authenticate To SMTP Service
| > >> http://www.microsoft.com/technet/security/Bulletin/MS02-011.mspx
| > >>
| > >> MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary
| Code
| > >> Execution (829436)
| > >> http://www.microsoft.com/technet/security/Bulletin/MS03-046.mspx
| > >> --
| > >> HTH - Please Reply to This Thread
| > >>
| > >> ~Robear Dyer (PA Bear)
| > >> MS MVP-Windows (IE/OE), AH-VSOP
| > >>
| > >> AumHa Forums
| > >> http://forum.aumha.org
| >
|
|

 

[=?iso-8859-2?Q?Ivan_B=FAtora?=]

I still wonder why they don't just make the download site publicly accessible - I don't see the benefits of this strategy. Anyway, I will call them tomorrow, more to test this procedure than out of a burning desire for the patches themselves.


That number should work okay. The way it works is that Microsoft sends you an e-mail with a link to the patch and your password to open up the hotfix.

Artwilder,

the security bulletins, linked to by PA Bear in his post, discuss the vulnerabilities that are fixed by the respective patches. I believe the patches are tested if they are listed as available for the given OS. (Although what exactly regression testing means somewhat mystifies me.)
As for the MS security hotline, is this to be reached at (800) 936-5700, or is there some different number? Do they give you a link to download the given patch?

Ivan



Ivan, are these three patches also non-regression patches that need to be tested? Do you have the web links that explain what they fix? Finally, in regards to your question, you can call the Microsoft security hotline and request the non-critical patches manually. That is how I got the patch to install and test on my machine. Just tell them what you want and if it is in regards to security you will get the hotfix for free.

As far as I can tell, 831167 is a post-cumulative update for IE 6 that patches some issues caused by 832894. It has been available for download for a while now (although not from Windows Update), and should be included in the next cumulative security patch for IE.

As for MS04-011, MS04-012, and MS04-014, there are vulnerabilities there that *do* affect Windows 98/98SE/Me, but are not considered critical, and therefore will not be publicly released. Microsoft has again updated its support policy at http://support.microsoft.com/default.aspx?pr=LifeAn1. The deal is now this: MS will release (and put on Windows Update) *critical* security patches. Non-critical security patches will have to be requested manually. (Question: Where and how do I do that?)

Artwilder, the patch that you tested on your machine is now included in MS04-011.

Greetings,

Ivan



I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[Hugh Candlin]

the security bulletins, linked to by PA Bear in his post, discuss the vulnerabilities that are fixed by the respective patches. I
believe the patches are tested if they are listed as available for the given OS. (Although what exactly regression testing means
somewhat mystifies me.)

====

Let's say I write a program to perform any of 4 functions.

It will add, subtract, multiply or divide any two numbers
entered, depending upon the option number selected [1 through 4].

I test this program, and each of the functions works as specified.

I now change the program to also calculate the average of any
two numbers entered, and make this executable as Option #5.

To test this, I enter two numbers and select Option #5.
The program dutifully displays the average of the two numbers.
I enter more combinations of numbers, and each time,
the new function works as specified.

I move my program into production, and the complaints pour in.
"Hey!!! Option #1 doesn't work".
"Nice going, Slick. Option #2 is all messed up".
"I'm getting garbage answers from Option #3".
"Yo, moron, what did you do to Option #4?".

Alas, when adding new functionality to a program,
a developer may introduce one or more bugs
which can cause one or more of the original functions
to malfunction, even while the new functionality works perfectly.

The way that you try to avoid this is to run all of the prior tests again.
In other words, you "regress" to a previous stage of development,
and run the full complement of tests, just as if you were testing
each function for the very first time, to make sure that they still work.

 

[Curt Christianson]

Thanks Hugh,
That's an answer even *I* can understand!
Curt

the security bulletins, linked to by PA Bear in his post, discuss the

vulnerabilities that are fixed by the respective patches. I

believe the patches are tested if they are listed as available for the

given OS. (Although what exactly regression testing means

somewhat mystifies me.)

====

Let's say I write a program to perform any of 4 functions.

It will add, subtract, multiply or divide any two numbers
entered, depending upon the option number selected [1 through 4].

I test this program, and each of the functions works as specified.

I now change the program to also calculate the average of any
two numbers entered, and make this executable as Option #5.

To test this, I enter two numbers and select Option #5.
The program dutifully displays the average of the two numbers.
I enter more combinations of numbers, and each time,
the new function works as specified.

I move my program into production, and the complaints pour in.
"Hey!!! Option #1 doesn't work".
"Nice going, Slick. Option #2 is all messed up".
"I'm getting garbage answers from Option #3".
"Yo, moron, what did you do to Option #4?".

Alas, when adding new functionality to a program,
a developer may introduce one or more bugs
which can cause one or more of the original functions
to malfunction, even while the new functionality works perfectly.

The way that you try to avoid this is to run all of the prior tests again.
In other words, you "regress" to a previous stage of development,
and run the full complement of tests, just as if you were testing
each function for the very first time, to make sure that they still work.

 

[Frank Saunders, MS-MVP IE/OE]

I still wonder why they don't just make the download site publicly
accessible - I don't see the benefits of this strategy. Anyway, I
will call them tomorrow, more to test this procedure than out of a
burning desire for the patches themselves.

Q831167 is publically available:
http://support.microsoft.com/?kbid=831167

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[=?iso-8859-2?Q?Ivan_B=FAtora?=]

Thanks for the explanation.




the security bulletins, linked to by PA Bear in his post, discuss the vulnerabilities that are fixed by the respective patches. I
believe the patches are tested if they are listed as available for the given OS. (Although what exactly regression testing means
somewhat mystifies me.)

====

Let's say I write a program to perform any of 4 functions.

It will add, subtract, multiply or divide any two numbers
entered, depending upon the option number selected [1 through 4].

I test this program, and each of the functions works as specified.

I now change the program to also calculate the average of any
two numbers entered, and make this executable as Option #5.

To test this, I enter two numbers and select Option #5.
The program dutifully displays the average of the two numbers.
I enter more combinations of numbers, and each time,
the new function works as specified.

I move my program into production, and the complaints pour in.
"Hey!!! Option #1 doesn't work".
"Nice going, Slick. Option #2 is all messed up".
"I'm getting garbage answers from Option #3".
"Yo, moron, what did you do to Option #4?".

Alas, when adding new functionality to a program,
a developer may introduce one or more bugs
which can cause one or more of the original functions
to malfunction, even while the new functionality works perfectly.

The way that you try to avoid this is to run all of the prior tests again.
In other words, you "regress" to a previous stage of development,
and run the full complement of tests, just as if you were testing
each function for the very first time, to make sure that they still work.

 

[Dapper Dan]

Val
That fall, off that turnip truck, must have create more brain damage than previously anticipated !!!

dd;

Maybe if you and PAbear cross-posted to 60 or 70 more NG's the answer would be more forthcoming (or maybe it would just add to the mvNOTpee post count....but who's counting?)

--
val
micro$oft {dot.NOT.dot.NET.dot.NEVER} - mvp (since 1950)
hyperlinks used because they can be;
html posting encouraged;
bottom posters generally ignored as this is an "OE zone"
I did check them out PA and my reading suggested that only one
applied and that's why I asked for your guidance. I have since visited
the site and it confirms KB 837009 for Win 98, however it also
includes KB 831167 which wasn't on the list.
Thanks

 

[David H.]

Hello PA Bear..

Please can you help.. I have read all the thread.. I'm lost

I have a Win98SE machine that I'm pressing back into service for my daughter.
On the OE about screen it just says 6.00.26000.0000
No mention of SP's or Q numbers..

What or which updates do I actually need ?

Many Thanks ... David

 

[PA Bear]

The machine will need two (2) sets of updates.

First take the machine to Windows Update http://windowsupdate.microsoft.com
to install IE6-SP1. Follow all prompts. You will finally be prompted to
reboot.

After rebooting, return to Windows Update to download/install further
patches/updates to IE6-SP1 which will include at least one of the 13 Apr-04
updates.

To assure a clean install, close all other Windows-based applications,
including the anti-virus, before installing anything.

It's best to allow the Windows Update scanning engine to identify needed
updates instead of picking and choosing ones you think you need.

 

[David H.]

Hello PA Bear,

Many thanks for the prompt response and answers.
I currently have an ongoing issue with Windows Update not working that I will
need to solve.
It's not a date time problem.. But that's another tread.

Windows Update Error Windows Update has encountered an error.
This may be due to a discrepancy in your computer's time setting.

To check your date and time setting:

On the taskbar, double-click the time.
Verify that the date and time is correct.

You can also get online support if you are having problems with Windows Update.
Send error number to Microsoft (0x800C0008)

Best Regards - David
==========