Three weeks ago, I mentioned in a news story (see the URL below) that Microsoft had released a copy of its Security Rollup Package 1 (SRP1) for Windows XP to beta testers. Late last week, the company released the package to the public, but under a different name. Update Rollup 1 for Microsoft Windows XP is now available from the company's Windows Update Web site and through Microsoft Software Update Services (SUS). http://www.winnetmag.com/windowssecurity/article/articleid/40403/windowssecurity_40403.html
Update Rollup 1 contains 22 hotfixes in one installable package. The Microsoft article "Update Rollup 1 for Windows XP Is Available" (URL below) describes the hotfixes the package contains and provides a link for direct package download. The standard version of the update is about 9MB in size and can be installed on XP systems that don't have Service Pack 1 (SP1); the smaller express version of the update requires SP1.
Update Rollup 1 contains all the previously released security patches for XP, with a few important exceptions. Microsoft released seven new Security Bulletins last week regarding problems that affect Windows and Microsoft Exchange Server platforms. Five of the bulletins pertain to XP, and their accompanying patches didn't make it into the Update Rollup 1 package. So in addition to loading Update Rollup 1, you should consider loading the patches associated with Microsoft Security Bulletins MS03-041 (Vulnerability in Authenticode Verification Could Allow Remote Code Execution), MS03-042 (Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution), MS03-043 (Buffer Overrun in Messenger Service Could Allow Code Execution), MS03-044 (Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise), and MS03-045 (Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution) to completely update your XP systems. You can find details about those problems on our Web site at the URL below. Be sure to read the news item that I point to in Section 3 below for a few more details about Update Rollup 1 as well as an interesting tidbit about the upcoming XP SP2.
If you manage Microsoft SQL Server platforms, you're probably glad that hotfixes for that platform aren't required nearly as often as for the underlying Windows OS. Even so, staying on top of the latest SQL security threats and vulnerabilities is important. Yahoo! Groups hosts a moderated SQL Server Security mailing list that was started in March, is open to anyone, and has 344 subscribers. The list traffic is low, so keeping up with it is easy. Instructions for joining are at the URL below.
Last week, I wrote about Microsoft CEO Steve Ballmer's talk at the company's recent partner conference. I mentioned that Microsoft would continue to support Windows 2000 systems with SP2 and Windows NT Workstation 4.0 with SP6a until June 2004. A few readers found that statement confusing and wondered whether Microsoft would no longer support Win2K after next June.
That's certainly not the case, and I offer my apologies for the confusion. To clarify the matter, Win2K with SP2 will in fact become unsupported. However, two other service packs (SP3 and SP4) have followed SP2. To continue receiving support, Win2K users must upgrade their systems to one of the newer service packs.