• Chart: June 2005 Security Communications Summary

June 2005's "Patch Tuesday" included three critical and four important patches for vulnerabilities in Microsoft software. Customers can download the patches from the new Microsoft Update Web site or deploy them with the latest version of Windows Server Update Services (WSUS). But switching from Windows Update to Microsoft Update is not automatic: customers must first review the license agreement and install a new ActiveX control.

June Patches and Tools

The three critical patches all fix vulnerabilities in Windows, including the following:

• A cumulative patch for problems with the display of PNG images and XML content in Internet Explorer
• A patch to provide better validation of input data in HTML Help
• A patch to fix validation of certain incoming packets in the Windows implementation of the Server Messenger Block (SMB) protocol.

On unpatched systems, these critical vulnerabilities could allow an attacker to take full control of the vulnerable computer.

The patches labeled "important" fix several problems with Windows, including a cumulative patch for Outlook Express, a problem with Outlook Web Access and Exchange, and the Step-by-Step Interactive Training engine, which is used by some tutorials included with Windows and some Microsoft Press titles. Other publishers of training titles, including some OEMs, also distribute the Step-by-Step Interactive Training engine, so there is no definitive list of all the titles that may have been provided or preinstalled with this software. Therefore, Microsoft will offer this security update via Windows Update to Windows 2000, Windows XP, and Windows Server 2003 systems. However, Microsoft is not offering this patch for earlier versions of Windows, even though the affected software might be installed on those systems. (For a chart summarizing critical and important patches, see "June 2005 Security Communications Summary".)

Finally, there were "moderate" patches for Windows, Windows Services for UNIX, and Internet Security and Acceleration (ISA) server, and the malicious software removal tool was updated to remove the ASN.1 worm and variants of Spybot, Kelvir, Lovgate, and Mytob.

There were no new Security Advisories (a new type of security communication introduced in May 2005), but several previously issued bulletins were re-released with new or updated information, including MS02-035, MS05-004, and MS05-019.

There was no mention of the promised security rollup for Windows 2000, which will leave Mainstream support at the end of June 2005. The last service pack for Windows 2000 was SP4.

New Deployment Tools

Although Microsoft announced the availability of the updated WSUS and the new Microsoft Update at its June 2005 TechNet Conference, customers who previously used Windows Update and the separate Office Update Web sites will not be automatically redirected to Microsoft Update. Instead, they must go to the Microsoft Update Web site and opt in to the service by acknowledging some licensing terms and installing a new ActiveX control.

The June 2005 patches are available through Microsoft Update and Windows Update and can be redistributed in an organization with WSUS.

Resources

Information about updates released in June 2005 can be found at www.microsoft.com/technet/security/current.aspx.

The updated Windows Server Update Service and new Microsoft Update Web site are described in "Updated Patching Tools Cover OSs, Applications" of the July 2005 Update.

To start using the unified Microsoft Update Web site, see update.microsoft.com/microsoftupdate.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

A list of Microsoft Press titles that include the Step-by-Step Interactive Training engine is provided in Microsoft Knowledge Base article 898458, accessible via support.microsoft.com.