April 2004 Critical Security Updates

Three critical updates were issued in Microsoft’s Apr. 2004 monthly security posting. The vulnerabilities that they repair enable an attacker to gain complete control of a computer over the Internet, in some cases without any action on the part of the computer’s user, which makes them a potential platform for worms and viruses. (For a chart summarizing these critical updates, see “Apr. 2004 Critical Update Summary“.)

With this release, Microsoft has begun to group patches for vulnerabilities together in order to take advantage of shared files between the patches. For example, the update labeled MS04-011 includes patches for 14 separate vulnerabilities. This consolidation reduces patch size because administrators need only download one copy of the files affected by the update, rather than one copy for each separate patch in the update. However, it means that administrators must carefully read each bulletin to see what patches an update contains.

The Apr. 2004 releases also include an update for a vulnerability in the Jet 4.0 database engine which enables an attacker to gain control of a system, but which only rates as “important” because the attacker first has to log on to the affected computer.