Microsoft has released its monthly batch of security updates for September 2004 and there are some that affect Office as well as Windows generally.
Microsoft has released its monthly batch of security updates and there are some that affect Office as well as Windows generally. In this issue we’ll try to explain what you need to do.
It is yet another buffer overrun problem where, in this case, a JPG image could be rigged to run malicious code on your computer. All you’d have to do is display such a JPG image on a vulnerable computer and the code would run – ouch.
To protect against this problem you have to make sure that Windows itself is updated AND Microsoft Office AND any other program that can display JPG images.
Microsoft’s full bulletin can be found here and in this issue we’ll try to explain what to do. We’ll start with Windows then Office then the rest.
For this security fix the updates of Windows goes hand in hand with that for Office so we’ll talk about both.
We’ll start with the good news – Windows XP Service Pack 2 users are NOT affected (SP2 includes broad buffer overrun protection) so if you were considering updating your machines to SP2 this might be a good time.
We’ve been progressively updating the Woody’s Watch machines to SP2 and it has been a painless process, albeit time consuming. It can take up to an hour for SP2 to be applied. If you have more than one computer it’s best to download the entire SP2 package in one hit then apply it to each computer. We put it on a network share and applied it from there but you could also burn it to a CD and insert it into each computer.
Windows 2000 with SP3 or SP4, Windows NT Server 4 with SP6a, NT Terminal Server with SP6, Windows 98, 98 Second Edition and Windows ME are also NOT affected and do not need any update. No word on Windows 3.x.
But any other version of Windows is affected including Windows XP, XP with SP1, the XP 64-bit editions and Windows Server 2003. You need to get the respective update from the list under the heading Affected Software.
Running the Windows Update feature (in Internet Explorer – Tools | Windows Update ) should detect the correct updates you need for Windows – but not for the other programs that need fixing.
Having fixed Windows you now have to update Microsoft Office.
Office 2003 is affected but not the recently released Service Pack 1 so, like with Windows XP SP2, this might be a good time to make the change. Though, as usual we’re more wary of Office updates than Windows ones.
You’ll also need to update Visio 2003 and Project 2003 to Service Pack 1.
OFFICE 2003 without SP1
If you’re not prepared to take the leap into SP1 then you can download a separate security update.
You should use this update on any Office 2003 software – the entire bundle or any part (ie just Word 2003) as long as it is not already updated to Service Pack 1 level.
Producer for PowerPoint 2003
There’s an update for all versions of Microsoft Producer for Powerpoint.
OFFICE XP (including all ‘2002’ version Office products)
Project 2002 requires the Project 2002 Service Pack 1 to be installed then the special update here.
Visio 2002 requires Visio 2002 Service Pack 2 plus this new update.
According to Microsoft, Office 2000, Visio 2000 and Project 2000 are NOT affected.
Yes, there’s an automated Office Update service for recent versions of Office – but frankly we’ve seen too many complaints about Office Update to suggest using it. It might have a place in detecting what updates are needed but prudent Office users download the updates separately.
OTHER PROGRAMS TO UPDATE
Beyond Windows and Office there’s other Microsoft programs that need patching.
Internet Explorer 6 SP1
If you’re running IE v6 Service Pack 1 on top of Windows 2000, Windows 98, 98 SE or Windows ME then there’s an update for that.
The core files for .NET also need fixing as does Visual Studio .NET 2002 or 2003.
The Microsoft platform SDK has a patch also.
Microsoft picture software is, naturally, affected. There’s updates for Picture it! 2002, v7 and v9 , Greetings 2002 and Digital Image Pro v7 and v9 plus Digital Image Suite v9.
NOTE: MSN v9 can also include some of the MS picture software.
WHAT IS THE GDI+ DETECTION TOOL?
Microsoft has released a small program that can scan your computer and work out if any Microsoft products need updating to fix this security threat.
Click here for details. While you can get this tool via Windows Update that will only run once. Better to download it separately so you can use it on more than one computer or re-check a single machine.
You have to be logged onto the computer as an administrator to let this tool work.