Microsoft posts revisions to security bulletins

Do you know how to say “Whoops!” in Czech? Staff at Microsoft Corp.’s headquarters may be asking themselves that question this week after two software patches the company released last week caused problems on foreign language versions of the Windows operating system and Exchange e-mail server.

On Wednesday, Microsoft issued “major revisions” to the two patches, MS03-045 and MS03-047 that included new patches for affected customers and additional instructions to get the patches to stick on vulnerable systems.

Microsoft, based in Redmond, Wash., was not immediately available to comment.

Security bulletin MS03-045 concerns a buffer overrun vulnerability in a component of most supported versions of Windows. Microsoft rated the issue “important,” but not critical. If left unpatched, the security hole would allow any person with a valid user login and password for an affected system to take total control of that machine and run malicious code on it. (See

After releasing the bulletin and the associated patches, Microsoft discovered compatibility problems between the patch and third-party software on systems running foreign language editions of Windows 2000 with Service Pack 4, Microsoft said.

Russian, Spanish and Italian versions of Windows 2000 were affected, in addition to a number of other languages, including Czech, Finnish and Turkish, Microsoft said.

On Wednesday, Microsoft released fixed versions of the patch for the affected languages.

Security bulletin MS03-047 was rated “Moderate” and described a cross-site scripting vulnerability in Exchange Server 5.5, Service Pack 4. If left unpatched, the problem could allow a remote attacker to send a user on a vulnerable system an e-mail message containing an embedded Web link to trick victims into running a computer script of the attacker’s choice, Microsoft said.

On Wednesday, Microsoft said that it discovered that the patch did not work for some customers who installed foreign language versions of Outlook Web Access (OWA), an Exchange service that enables e-mail users to access their Exchange mailbox using a Web browser instead of the Outlook mail client.

While customers running English, German, French and Japanese versions of OWA were covered by the original patch, those running OWA in other languages need to apply the re-released version, Microsoft said.

The backtracking came after Microsoft Chief Executive Officer Steve Ballmer introduced a new, streamlined approach to distributing software patches two weeks ago. Citing complaints from customers about the difficulty of staying on top of weekly security patches from the company, Ballmer said that Microsoft would switch from a weekly to a monthly patch release schedule, unless it felt that customers were in imminent danger of attack from a known product vulnerability.

Last week, Microsoft released the first of its monthly bulletins containing patches for four critical holes in the Windows operating system and one critical flaw in Exchange, in addition to the lower-rated vulnerabilities Microsoft re-released this week.