Microsoft releases first Server 2003 patch

Microsoft last night announced the first patch for users of the new flagship operating system Windows Server 2003, on the same day that it also promised to improve the delivery of its patches.

The company assured customers that the operating system itself is still sound, as the bug is in a related application rather than in Server 2003.

The patch plugs a vulnerability in Internet Explorer 5.01, 5.5 and 6.0 on all Windows platforms, which could allow for the execution of malicious code on a vulnerable machine.

For example, an attacker could run programs on a computer used to view a maliciously crafted website.

Simon Conant, security programme manager at Microsoft, explained that the patch actually highlighted the differences in Windows Server 2003 compared to previous operating systems.

"The vulnerability has been downgraded two levels to 'moderate' [from 'critical'] on Windows Server 2003 because, in its default installation, the operating system is unaffected by this latest bug," he said.

Conant claimed that this is because Server 2003 benefits from an "enhanced configuration" system in Internet Explorer.

However, it is still recommended to install the patch as changing the default configuration could make a machine vulnerable.

The announcement coincided with a speech by Scott Charney, Microsoft's chief security strategist, at the company's TechEd 2003 conference in Dallas, where he admitted that patching systems is often difficult and that variable quality means people are not always confident about the installation.

More details are available on the Microsoft Support website. It is not thought that there are any instances of the vulnerability being used exploited. The patch is available here.